oracle fusion middleware installation guide for oracle ... · oracle fusion middleware installation...

Oracle® Fusion MiddlewareInstallation Guide for Oracle Identity and Access Management

11g Release 2 (11.1.2)

E27301-04

December 2012

Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, 11g Release 2 (11.1.2)

E27301-04

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Primary Author: Nisha Singh

Contributors: Don Biasotti, Niranjan Ananthapadmanabha, Heeru Janweja, Deepak Ramakrishnan, Madhu Martin, Sergio Mendiola, Svetlana Kolomeyskaya, Sid Choudhury, Javed Beg, Eswar Vandanapu, Harsh Maheshwari, Sidhartha Das, Mark Karlstrand, Daniel Shih, Don Bosco Durai, Kamal Singh, Rey Ong, Gail Flanegin, Ellen Desmond, Priscilla Lee, Vinaye Misra, Toby Close, Ashish Kolli, Ashok Maram, Peter LaQuerre, Srinivasa Vedam, Vinay Shukla, Sanjeev Topiwala, Shaun Lin, Prakash Hulikere, Debapriya Dutta, Sujatha Ramesh, Ajay Keni, Ken Vincent

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

iii

Contents

Preface ............................................................................................................................................................... xiii

Audience..................................................................................................................................................... xiiiDocumentation Accessibility ................................................................................................................... xiiiRelated Documents ................................................................................................................................... xiiiConventions ............................................................................................................................................... xiv

Part I Introduction and Preparation

1 Introduction

1.1 Overview of Oracle Identity and Access Management 11g Release 2 (11.1.2)................... 1-11.2 Additional 11g Release 2 (11.1.2) Deployment Information................................................. 1-11.2.1 Upgrading to Oracle Identity and Access Management 11g Release 2 (11.1.2).......... 1-21.2.2 Installing Oracle Identity and Access Management 11g Release 2 (11.1.2) for High

Availability 1-21.2.3 Deploying Oracle Unified Directory with Oracle Identity and Access Management 11g

Release 2 (11.1.2) 1-21.3 Silent Installation......................................................................................................................... 1-21.4 Understanding the State of Oracle Identity and Access Management Components After

Installation 1-31.4.1 Default SSL Configurations................................................................................................ 1-31.4.2 Default Passwords ............................................................................................................... 1-31.5 Using This Guide ........................................................................................................................ 1-3

2 Preparing to Install

2.1 Reviewing System Requirements and Certification .............................................................. 2-12.2 Installing and Configuring Java Access Bridge (Windows Only) ....................................... 2-22.3 Identifying Installation Directories .......................................................................................... 2-22.3.1 Oracle Middleware Home Location.................................................................................. 2-22.3.2 Oracle Home Directory....................................................................................................... 2-22.3.3 Oracle Common Directory ................................................................................................. 2-32.3.4 Oracle WebLogic Domain Directory................................................................................. 2-32.3.5 WebLogic Server Directory ................................................................................................ 2-32.4 Determining Port Numbers....................................................................................................... 2-32.5 Locating Installation Log Files .................................................................................................. 2-3

iv

2.6 Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only) 2-4

Part II Installing and Configuring Oracle Identity and Access Management (11.1.2)

3 Installing and Configuring Oracle Identity and Access Management (11.1.2)

3.1 Installation and Configuration Roadmap ............................................................................... 3-13.2 Installing and Configuring Oracle Identity and Access Management (11.1.2).................. 3-23.2.1 Obtaining the Oracle Fusion Middleware Software....................................................... 3-23.2.2 Database Requirements ...................................................................................................... 3-33.2.2.1 Oracle Database 11.1.0.7 Patch Requirements for Oracle Identity Manager ....... 3-33.2.3 Creating Database Schema Using the Oracle Fusion Middleware Repository Creation

Utility (RCU) 3-33.2.4 WebLogic Server and Middleware Home Requirements.............................................. 3-53.2.5 Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)........... 3-63.2.6 Starting the Oracle Identity and Access Management Installer.................................... 3-63.2.7 Installing Oracle Identity and Access Management (11.1.2) ......................................... 3-73.2.7.1 Products Installed......................................................................................................... 3-73.2.7.2 Dependencies ................................................................................................................ 3-93.2.7.3 Procedure....................................................................................................................... 3-93.2.7.4 Understanding the Directory Structure After Installation .................................. 3-113.2.8 Configuring Oracle Identity and Access Management (11.1.2) Products ................ 3-113.2.9 Configuring Database Security Store for an Oracle Identity and Access Management

Domain 3-123.2.9.1 Overview .................................................................................................................... 3-133.2.9.2 Before Configuring Database Security Store ......................................................... 3-143.2.9.3 Configuring the Database Security Store ............................................................... 3-143.2.9.4 Example Scenarios for Configuring the Database Security Store....................... 3-163.2.10 Starting the Servers........................................................................................................... 3-18

4 Configuring Oracle Identity Navigator

4.1 Important Note Before You Begin ............................................................................................ 4-14.2 Installation and Configuration Roadmap for Oracle Identity Navigator........................... 4-14.3 Configuring Oracle Identity Navigator in a New WebLogic Domain................................ 4-24.3.1 Appropriate Deployment Environment........................................................................... 4-24.3.2 Components Deployed ....................................................................................................... 4-34.3.3 Dependencies ....................................................................................................................... 4-34.3.4 Procedure .............................................................................................................................. 4-34.4 Starting the Servers..................................................................................................................... 4-44.5 Verifying Oracle Identity Navigator ........................................................................................ 4-44.6 Getting Started with Oracle Identity Navigator After Installation...................................... 4-6

5 Configuring Oracle Identity Manager

5.1 Important Notes Before You Start Configuring Oracle Identity Manager ......................... 5-15.2 Installation and Configuration Roadmap for Oracle Identity Manager............................. 5-2

v

5.3 Creating a new WebLogic Domain for Oracle Identity Manager and SOA....................... 5-45.3.1 Appropriate Deployment Environment........................................................................... 5-45.3.2 Components Deployed ....................................................................................................... 5-45.3.3 Dependencies ....................................................................................................................... 5-45.3.4 Procedure .............................................................................................................................. 5-45.4 Starting the Servers..................................................................................................................... 5-75.5 Overview of Oracle Identity Manager Configuration........................................................... 5-85.5.1 Before Configuring Oracle Identity Manager Server, Design Console, or Remote

Manager 5-85.5.1.1 Prerequisites for Configuring Oracle Identity Manager Server ............................ 5-85.5.1.2 Prerequisites for Configuring Only Oracle Identity Manager Design Console on a

Different Machine 5-95.5.1.3 Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a

Different Machine 5-95.5.2 Oracle Identity Manager Configuration Scenarios ...................................................... 5-105.5.2.1 Scope of Configuration Using the Oracle Identity Manager 11g Configuration

Wizard 5-105.5.2.2 Scenario 1: Oracle Identity Manager Server and Design Console on Different

Machines 5-115.5.2.3 Scenario 2: Oracle Identity Manager Server and Remote Manager on Different

Machines 5-115.5.2.4 Scenario 3: Oracle Identity Manager Server, Design Console, and Remote Manager

on a Single Windows Machine 5-125.6 Starting the Oracle Identity Manager 11g Configuration Wizard .................................... 5-125.7 Configuring Oracle Identity Manager Server ...................................................................... 5-125.7.1 Appropriate Deployment Environment........................................................................ 5-135.7.2 Components Deployed .................................................................................................... 5-135.7.3 Dependencies .................................................................................................................... 5-135.7.4 Procedure ........................................................................................................................... 5-135.7.5 Completing the Prerequisites for Enabling LDAP Synchronization......................... 5-175.7.5.1 Preconfiguring the Identity Store............................................................................ 5-175.7.5.2 Creating Adapters in Oracle Virtual Directory..................................................... 5-225.7.6 Running the LDAP Post-Configuration Utility............................................................ 5-385.7.7 Verifying the LDAP Synchronization............................................................................ 5-425.7.8 Post-Configuration Steps................................................................................................. 5-425.7.9 Setting oamEnabled Parameter for Identity Virtualization Library ......................... 5-445.7.10 Enabling LDAP Sync after Installing and Configuring Oracle Identity Manager Server

at a Later Point 5-455.8 Optional: Configuring Oracle Identity Manager Design Console.................................... 5-455.8.1 Appropriate Deployment Environment........................................................................ 5-465.8.2 Components Deployed .................................................................................................... 5-465.8.3 Dependencies .................................................................................................................... 5-465.8.4 Procedure ........................................................................................................................... 5-465.8.5 Post-Configuration Steps................................................................................................. 5-475.8.6 Updating the xlconfig.xml File to Change the Port for Design Console .................. 5-485.8.7 Configuring Design Console to Use SSL....................................................................... 5-485.9 Optional: Configuring Oracle Identity Manager Remote Manager ................................. 5-495.9.1 Appropriate Deployment Environment........................................................................ 5-49

vi

5.9.2 Components Deployed .................................................................................................... 5-505.9.3 Dependencies .................................................................................................................... 5-505.9.4 Procedure ........................................................................................................................... 5-505.10 Verifying the Oracle Identity Manager Installation............................................................ 5-515.11 Setting Up Integration with Oracle Access Management .................................................. 5-525.12 List of Supported Languages ................................................................................................. 5-525.13 Using the Diagnostic Dashboard........................................................................................... 5-525.14 Getting Started with Oracle Identity Manager After Installation..................................... 5-53

6 Configuring Oracle Access Management

6.1 Overview...................................................................................................................................... 6-16.2 Important Note Before You Begin ............................................................................................ 6-16.3 Installation and Configuration Roadmap for Oracle Access Management ....................... 6-26.4 Optional: Setting Up TDE for Oracle Access Management .................................................. 6-36.5 Oracle Access Management in a New WebLogic Domain ................................................... 6-46.5.1 Appropriate Deployment Environment........................................................................... 6-46.5.2 Components Deployed ....................................................................................................... 6-46.5.3 Dependencies ....................................................................................................................... 6-46.5.4 Procedure .............................................................................................................................. 6-46.6 Starting the Servers..................................................................................................................... 6-66.7 Optional Post-Installation Tasks............................................................................................... 6-66.8 Verifying the Oracle Access Management Installation ......................................................... 6-76.9 Setting Up Oracle Access Manager Agents............................................................................. 6-76.9.1 Installing and Configuring the Agent............................................................................... 6-76.9.1.1 Setting Up Oracle HTTP Server WebGate ................................................................ 6-76.9.1.2 Setting Up the OSSO Agent ........................................................................................ 6-86.9.1.3 Setting Up the OpenSSO Agent.................................................................................. 6-96.9.2 Registering Agents and Applications by Using the Console ........................................ 6-96.9.3 Restarting the WebLogic Managed Servers..................................................................... 6-96.10 Setting Up Integration with OIM.............................................................................................. 6-96.11 Getting Started with Oracle Access Management After Installation ............................... 6-10

7 Configuring Oracle Adaptive Access Manager

7.1 Overview...................................................................................................................................... 7-17.2 Important Note Before You Begin ............................................................................................ 7-17.3 Installation and Configuration Roadmap for Oracle Adaptive Access Manager ............. 7-27.4 Oracle Adaptive Access Manager in a New WebLogic Domain ......................................... 7-37.4.1 Appropriate Deployment Environment........................................................................... 7-37.4.2 Components Deployed ....................................................................................................... 7-37.4.3 Dependencies ....................................................................................................................... 7-37.4.4 Procedure .............................................................................................................................. 7-47.5 Configuring Oracle Adaptive Access Manager (Offline)...................................................... 7-67.5.1 Components Deployed ....................................................................................................... 7-67.5.2 Dependencies ....................................................................................................................... 7-67.5.3 Procedure .............................................................................................................................. 7-67.6 Starting the Servers..................................................................................................................... 7-87.7 Post-Installation Steps ................................................................................................................ 7-8

vii

7.8 Verifying the Oracle Adaptive Access Manager Installation ............................................ 7-117.9 Migrating Policy and Credential Stores................................................................................ 7-117.9.1 Creating JPS Root.............................................................................................................. 7-117.9.2 Reassociating the Policy and Credential Store ............................................................. 7-127.10 Getting Started with Oracle Adaptive Access Manager After Installation ..................... 7-13

8 Installing and Configuring Oracle Entitlements Server

8.1 Important Note Before You Begin ............................................................................................ 8-18.2 Overview of Oracle Entitlements Server 11g Installation ..................................................... 8-18.3 Installation and Configuration Roadmap for Oracle Entitlements Server ......................... 8-28.4 Creating Oracle Entitlement Server Schemas (For Apache Derby Only) ........................... 8-38.5 Configuring Oracle Entitlements Server Administration Server......................................... 8-48.5.1 Components Deployed ....................................................................................................... 8-48.5.2 Prerequisites ......................................................................................................................... 8-58.5.2.1 Installing Oracle Entitlements Server ........................................................................ 8-58.5.2.2 Extracting Apache Derby Template (Optional) ....................................................... 8-58.5.3 Configuring Oracle Entitlements Server in a New WebLogic Domain....................... 8-58.5.4 Configuring Security Store for Oracle Entitlements Server Administration Server.. 8-78.5.5 Starting the Administration Server ................................................................................... 8-98.5.6 Verifying Oracle Entitlements Server Administration Server Configuration ............ 8-98.6 Installing Oracle Entitlements Server Client........................................................................... 8-98.6.1 Prerequisites ......................................................................................................................... 8-98.6.2 Obtaining Oracle Entitlements Server Client Software............................................... 8-108.6.3 Installing Oracle Entitlements Server Client ................................................................ 8-108.6.4 Verifying Oracle Entitlements Server Client Installation ........................................... 8-118.6.5 Applying a Patch Using OPatch .................................................................................... 8-118.7 Configuring Oracle Entitlements Server Client................................................................... 8-128.7.1 Configuring Security Modules in a Controlled Push Mode (Quick Configuration) .........

8-128.7.1.1 Configuring Java Security Module in a Controlled Push Mode......................... 8-128.7.1.2 Configuring RMI Security Module in a Controlled Push Mode ........................ 8-138.7.1.3 Configuring Web Service Security Module in a Controlled Push Mode .......... 8-138.7.1.4 Configuring Oracle WebLogic Server Security Module in a Controlled Push Mode

8-138.7.2 Configuring Distribution Modes.................................................................................... 8-148.7.2.1 Configuring Controlled Distribution...................................................................... 8-148.7.2.2 Configuring Non-Controlled and Controlled Pull Distribution Mode ............. 8-148.7.3 Configuring Security Modules ....................................................................................... 8-158.7.3.1 Configuring WebLogic Server Security Module................................................... 8-158.7.3.2 Configuring Web Service Security Module ........................................................... 8-218.7.3.3 Configuring Web Service Security Module on Oracle WebLogic Server.......... 8-228.7.3.4 Configuring Oracle Service Bus Security Module ................................................ 8-288.7.3.5 Configuring IBM WebSphere Security Module .................................................... 8-328.7.3.6 Configuring JBoss Security Module........................................................................ 8-368.7.3.7 Configuring the Apache Tomcat Security Module............................................... 8-378.7.3.8 Configuring Java Security Module ......................................................................... 8-388.7.3.9 Configuring RMI Security Module ......................................................................... 8-38

viii

8.7.3.10 Configuring Microsoft .NET Security Module...................................................... 8-398.7.3.11 Configuring Microsoft SharePoint Server (MOSS) Security Module ................ 8-418.7.4 Locating Security Module Instances .............................................................................. 8-458.7.5 Using the Java Security Module ..................................................................................... 8-468.7.6 Configuring the PDP Proxy Client................................................................................. 8-468.8 Getting Started with Oracle Entitlements Server After Installation................................. 8-46

9 Configuring Oracle Privileged Account Manager

9.1 Overview...................................................................................................................................... 9-19.2 Important Note Before You Begin ............................................................................................ 9-19.3 Installation and Configuration Roadmap for Oracle Privileged Account Manager......... 9-19.4 Configuring Oracle Privileged Account Manager and Oracle Identity Navigator in a New

WebLogic Domain 9-39.4.1 Appropriate Deployment Environment........................................................................... 9-39.4.2 Components Deployed ....................................................................................................... 9-39.4.3 Dependencies ....................................................................................................................... 9-39.4.4 Procedure .............................................................................................................................. 9-39.5 Starting the Oracle WebLogic Administration Server........................................................... 9-59.6 Post-Installation Tasks ............................................................................................................... 9-59.7 Starting the Managed Server..................................................................................................... 9-69.8 Assigning the Application Configurator Role to a User ...................................................... 9-69.9 Verifying Oracle Privileged Account Manager ...................................................................... 9-79.10 Getting Started with Oracle Privileged Account Manager After Installation.................... 9-7

10 Configuring Oracle Access Management Mobile and Social

10.1 Overview................................................................................................................................... 10-110.2 Important Note Before You Begin ......................................................................................... 10-110.3 Installation and Configuration Roadmap for Oracle Access Management Mobile and Social

10-110.4 Oracle Access Management Mobile and Social Configuration Scenarios ....................... 10-310.4.1 Oracle Access Management Mobile and Social with Oracle Access Manager 11gR2 .......

10-310.4.1.1 Overview .................................................................................................................... 10-310.4.1.2 Appropriate Deployment Environment................................................................. 10-310.4.1.3 Components Deployed ............................................................................................. 10-310.4.1.4 Dependencies ............................................................................................................. 10-310.4.1.5 Procedure.................................................................................................................... 10-410.4.2 Oracle Access Management Mobile and Social Standalone in a New WebLogic Domain

10-610.4.2.1 Overview .................................................................................................................... 10-610.4.2.2 Appropriate Deployment Environment................................................................. 10-710.4.2.3 Components Deployed ............................................................................................. 10-710.4.2.4 Dependencies ............................................................................................................. 10-710.4.2.5 Procedure.................................................................................................................... 10-710.5 Verifying Oracle Access Management Mobile and Social ................................................. 10-910.6 Getting Started with Oracle Access Management Mobile and Social After Installation 10-9

ix

11 Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager

11.1 Installing and Configuring Oracle HTTP Server 11g (11.1.1.5.0) ..................................... 11-111.2 Provisioning Oracle HTTP Server 10g Webgate for Oracle Access Manager Profile ... 11-211.3 Installing Oracle HTTP Server 10g Webgate for Oracle Access Manager ....................... 11-211.4 Configuring mod_weblogic.................................................................................................... 11-211.5 Optional: Configuring Host Identifier .................................................................................. 11-311.6 Updating Oracle Identity Manager Server Configuration................................................. 11-411.7 Optional: Disabling Domain Agent....................................................................................... 11-511.8 Optional: Updating Oracle Identity Manager Configuration ........................................... 11-5

12 Installing and Configuring Oracle HTTP Server 11g Webgate for Oracle Access Manager

12.1 Installation Overview.............................................................................................................. 12-112.2 Preparing to Install Oracle HTTP Server 11g Webgate for Oracle Access Manager ..... 12-212.2.1 Oracle Fusion Middleware Certification....................................................................... 12-212.2.2 Installing and Configuring Oracle Access Manager 11g............................................. 12-212.2.3 Installing and Configuring Oracle HTTP Server 11g .................................................. 12-312.2.4 Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only) ........

12-312.2.4.1 Verifying the GCC Libraries Version on Linux and Solaris Operating Systems ........

12-412.2.5 Prerequisites for 64-Bit Oracle HTTP Server 11g Webgates on Windows 2003 and

Windows 2008 64-Bit Platforms 12-412.3 Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager ....................... 12-512.3.1 Launching the Installer .................................................................................................... 12-512.3.2 Installation Flow and Procedure .................................................................................... 12-512.4 Post-Installation Steps ............................................................................................................. 12-612.5 Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager ................ 12-812.6 Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access

Manager 12-812.6.1 Register the New Webgate Agent .................................................................................. 12-812.6.2 Copy Generated Files and Artifacts to the Webgate Instance Location ................. 12-1212.6.2.1 OPEN Mode ............................................................................................................. 12-1212.6.2.2 SIMPLE Mode .......................................................................................................... 12-1212.6.2.3 CERT Mode .............................................................................................................. 12-1212.6.3 Restart the Oracle HTTP Server Instance .................................................................... 12-14

13 Lifecycle Management

13.1 How Lifecycle Events Impact Integrated Components...................................................... 13-113.2 LCM for Oracle Identity Manager......................................................................................... 13-113.3 LCM for Oracle Access Manager ........................................................................................... 13-213.4 LCM for Oracle Adaptive Access Manager ......................................................................... 13-213.5 LCM for Oracle Identity Navigator....................................................................................... 13-313.6 References ................................................................................................................................. 13-3

x

Part III Appendixes

A Oracle Identity and Access Management 11g Release 2 (11.1.2) Software Installation Screens

A.1 Welcome...................................................................................................................................... A-1A.2 Install Software Updates........................................................................................................... A-2A.3 Prerequisite Checks ................................................................................................................... A-3A.4 Specify Installation Location .................................................................................................... A-4A.5 Installation Summary ................................................................................................................ A-6A.6 Installation Progress .................................................................................................................. A-6A.7 Installation Complete ................................................................................................................ A-7

B Oracle Identity Manager Configuration Screens

B.1 Welcome...................................................................................................................................... B-1B.2 Components to Configure ........................................................................................................ B-3B.3 Database ...................................................................................................................................... B-4B.4 WebLogic Admin Server........................................................................................................... B-5B.5 OIM Server.................................................................................................................................. B-6B.6 LDAP Server ............................................................................................................................... B-8B.7 LDAP Server Continued ........................................................................................................... B-9B.8 Configuration Summary ......................................................................................................... B-10

C Starting or Stopping the Oracle Stack

C.1 Starting the Stack........................................................................................................................ C-1C.2 Stopping the Stack ..................................................................................................................... C-4C.3 Restarting Servers ...................................................................................................................... C-4

D Preconfiguring Oracle Directory Server Enterprise Edition (ODSEE)

E Preconfiguring Oracle Unified Directory (OUD)

F Preconfiguring Oracle Internet Directory (OID)

G Deinstalling and Reinstalling Oracle Identity and Access Management

G.1 Deinstalling Oracle Identity and Access Management ........................................................ G-1G.1.1 Deinstalling the Oracle Identity and Access Management Oracle Home.................. G-1G.1.2 Deinstalling the Oracle Common Home ......................................................................... G-2G.2 Reinstalling Oracle Identity and Access Management......................................................... G-3

H Performing Silent Installations

H.1 What is a Silent Installation? .................................................................................................... H-1H.2 Before Performing a Silent Installation................................................................................... H-1H.2.1 UNIX Systems: Creating the oraInst.loc File .................................................................. H-1H.2.2 Windows Systems: Creating the Registry Key............................................................... H-2H.3 Creating Response Files ............................................................................................................ H-2

xi

H.3.1 OIM, OAM, OAAM, OES, and OIN................................................................................. H-3H.3.2 Securing Your Silent Installation ...................................................................................... H-3H.4 Performing a Silent Installation ............................................................................................... H-3H.5 Installer Command Line Parameters ...................................................................................... H-4

I Troubleshooting the Installation

I.1 General Troubleshooting Tips ................................................................................................... I-1I.2 Installation Log Files ................................................................................................................... I-2I.3 Configuring OIM Against an Existing OIM 11g Schema....................................................... I-2I.4 Need More Help?......................................................................................................................... I-3

J Oracle Adaptive Access Manager Partition Schema Reference

J.1 Overview...................................................................................................................................... J-1J.2 Partition Add Maintenance ....................................................................................................... J-2J.2.1 ..................................................................................Sp_Oaam_Add_Monthly_Partition J-2J.2.2 ....................................................................................Sp_Oaam_Add_Weekly_Partition J-2J.3 Partition Maintenance Scripts ................................................................................................... J-3J.3.1 drop_monthly_partition_tables.sql................................................................................... J-3J.3.2 drop_weekly_partition_tables.sql .................................................................................... J-3J.3.3 add_monthly_partition_tables.sql .................................................................................... J-3J.3.4 add_weekly_partition_tables.sql....................................................................................... J-3

K Software Deinstallation Screens

K.1 Welcome...................................................................................................................................... K-1K.2 Select Deinstallation Type ........................................................................................................ K-2K.2.1 Option 1: Deinstall Oracle Home ..................................................................................... K-2K.2.1.1 Deinstall Oracle Home................................................................................................ K-3K.2.2 Option 2: Deinstall ASInstances managed by WebLogic Domain .............................. K-3K.2.2.1 Specify WebLogic Domain Detail ............................................................................. K-3K.2.2.2 Select Managed Instance ............................................................................................ K-4K.2.2.3 Deinstallation Summary (Managed Instance)......................................................... K-5K.2.3 Option 3: Deinstall Unmanaged ASInstances ................................................................ K-6K.2.3.1 Specify Instance Location ........................................................................................... K-6K.2.3.2 Deinstallation Summary (Unmanaged ASInstance) ............................................. K-6K.3 Deinstallation Progress ............................................................................................................ K-7K.4 Deinstallation Complete ........................................................................................................... K-8

xiii

Preface

This Preface provides supporting information for the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and includes the following topics:

■ Audience

■ Documentation Accessibility

■ Related Documents

■ Conventions

AudienceThe Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management is intended for administrators that are responsible for installing Oracle Identity and Access Management components.

This document assumes you have experience installing enterprise components. Basic knowledge about the Oracle Identity and Access Management components and Oracle Application Server is recommended.

Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related DocumentsThis section identifies additional documents related to Oracle Identity and Access Management. You can access Oracle documentation online from the Oracle Technology Network (OTN) Web site at the following URL:

http://docs.oracle.com/

xiv

Refer to the following documents for additional information on each subject:

Oracle Fusion Middleware■ Oracle Fusion Middleware Administrator's Guide

■ Oracle Fusion Middleware Security Guide

High AvailabilityOracle Fusion Middleware High Availability Guide

Oracle Fusion Middleware Repository Creation Utility Oracle Fusion Middleware Repository Creation Utility User's Guide

Oracle Identity ManagerOracle Fusion Middleware Administrator’s Guide for Oracle Identity Manager

Oracle Access ManagementOracle Fusion Middleware Administrator’s Guide for Oracle Access Management

Oracle Adaptive Access ManagerOracle Fusion Middleware Administrator’s Guide for Oracle Adaptive Access Manager

Oracle Identity NavigatorOracle Fusion Middleware Administrator’s Guide for Oracle Identity Navigator

Oracle Privileged Account ManagerOracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager

Oracle Access Management Mobile and Social Oracle Fusion Middleware Administrator's Guide for Oracle Access Management

Oracle Entitlements ServerOracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

ConventionsThe following text conventions are used in this document:

Convention Meaning

boldface Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary.

italic Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values.

monospace Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter.

Part IPart I Introduction and Preparation

Part I introduces Oracle Identity and Access Management 11g Release 2 (11.1.2) installation and describes how to perform preparatory tasks. It contains the following chapters:

■ Chapter 1, "Introduction"

■ Chapter 2, "Preparing to Install"

1

Introduction 1-1

1 Introduction

This chapter provides an overview of Oracle Identity and Access Management 11g Release 2 (11.1.2). This chapter includes the following topics:

■ Overview of Oracle Identity and Access Management 11g Release 2 (11.1.2)

■ Additional 11g Release 2 (11.1.2) Deployment Information

■ Silent Installation

■ Understanding the State of Oracle Identity and Access Management Components After Installation

■ Using This Guide

1.1 Overview of Oracle Identity and Access Management 11g Release 2 (11.1.2)

Oracle Identity and Access Management 11g Release 2 (11.1.2) includes the following components:

■ Oracle Identity Manager

■ Oracle Access Management

■ Oracle Identity Navigator

■ Oracle Adaptive Access Manager

■ Oracle Entitlements Server

■ Oracle Privileged Account Manager

■ Oracle Access Management Mobile and Social

1.2 Additional 11g Release 2 (11.1.2) Deployment InformationThis topic describes additional sources for 11g Release 2 (11.1.2) deployment information, including documentation on the following subjects:

■ Upgrading to Oracle Identity and Access Management 11g Release 2 (11.1.2)

Note: Oracle Unified Directory 11g Release 2 installation is not covered in this guide.

For information on installing Oracle Unified Directory 11g Release 2, see the Oracle Unified Directory Installation Guide.

Silent Installation

1-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

■ Installing Oracle Identity and Access Management 11g Release 2 (11.1.2) for High Availability

■ Deploying Oracle Unified Directory with Oracle Identity and Access Management 11g Release 2 (11.1.2)

1.2.1 Upgrading to Oracle Identity and Access Management 11g Release 2 (11.1.2)This guide does not explain how to upgrade previous versions of Oracle Identity and Access Management components, including any previous database schemas, to 11g Release 2 (11.1.2). To upgrade an Oracle Identity and Access Management component, refer to Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management.

1.2.2 Installing Oracle Identity and Access Management 11g Release 2 (11.1.2) for High Availability

This guide does not explain how to install Oracle Identity and Access Management components in High Availability (HA) configurations. To install an Oracle Identity and Access Management component in a High Availability configuration, refer to Oracle Fusion Middleware High Availability Guide.

Specifically, see the "Configuring High Availability for Identity and Access Management Components" topic in the Oracle Fusion Middleware High Availability Guide.

1.2.3 Deploying Oracle Unified Directory with Oracle Identity and Access Management 11g Release 2 (11.1.2)

Oracle Unified Directory (OUD) 11g Release 2 can be deployed in the following ways:

■ Oracle Unified Directory 11g Release 2 in an Oracle Identity and Access Management 11g Release 2 (11.1.2) domain.

■ Oracle Identity and Access Management 11g Release 2 (11.1.2) products in an Oracle Unified Directory 11g Release 2 domain.

1.3 Silent InstallationIn addition to the standard graphical installation option, you can perform silent installation of the Oracle Identity and Access Management 11g software. A silent installation runs on its own without any intervention, and you do not have to monitor the installation and provide input to dialog boxes.

For more information, see Appendix H.4, "Performing a Silent Installation".

See Also: The "Related Documents" section in this guide’s Preface for a list of documents that provide additional information about Oracle Identity and Access Management components.

Note: Oracle Unified Directory 11g Release 2 installation is not covered in this guide.

For information on installing Oracle Unified Directory 11g Release 2, see the Oracle Unified Directory Installation Guide.

Using This Guide

Introduction 1-3

1.4 Understanding the State of Oracle Identity and Access Management Components After Installation

This topic provides information about the state of Oracle Identity and Access Management components after installation, including:

■ Default SSL Configurations

■ Default Passwords

1.4.1 Default SSL ConfigurationsBy default, most of the Oracle Identity and Access Management 11g components are not installed with SSL configured. Only Oracle Adaptive Access Manager is configured with SSL. For other components, you must configure SSL for the Oracle WebLogic Administration Server and Oracle WebLogic Managed Server after installation.

1.4.2 Default PasswordsBy default, the passwords for all Oracle Identity and Access Management components are set to the password for the Oracle Identity and Access Management Instance. For security reasons, after installation, you should change the passwords of the various components so they have different values.

1.5 Using This GuideEach document in the Oracle Fusion Middleware Documentation Library has a specific purpose. The specific purpose of this guide is to explain how to:

1. Install single instances of Oracle Identity and Access Management 11g Release 2 (11.1.2) components.

2. Verify the installation was successful.

3. Get started with the component after installation.

This guide covers the most common, certified Oracle Identity and Access Management deployments. The following information is provided for each of these deployments:

■ Appropriate Installation Environment: Helps you determine which installation is appropriate for your environment.

■ Components Installed: Identifies the components that are installed in each scenario.

■ Dependencies: Identifies the components each installation depends on.

See: The "SSL Configuration in Oracle Fusion Middleware" topic in the Oracle Fusion Middleware Administrator's Guide for more information.

See: The following documents for information about changing passwords for Oracle Identity and Access Management components:

■ The "Getting Started Managing Oracle Fusion Middleware" topic in the guide Oracle Fusion Middleware Administrator's Guide.

■ Component-specific guides listed in the "Related Documents" section in this guide’s Preface.

Using This Guide


■ Procedure: Explains the steps for the installation.

Part II of this guide explains how to install Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social, by using the Oracle Identity and Access Management 11.1.2 Installer and the Oracle Fusion Middleware Configuration Wizard. The Oracle Identity Manager 11g Configuration Wizard is used for configuring Oracle Identity Manager only.

The following is a list of recommendations on how to use the information in this guide to install Oracle Identity and Access Management 11g Release 2 (11.1.2):

1. Review Chapter 1, "Introduction," for context.

2. Review Chapter 2, "Preparing to Install," for information about what you should consider before you deploy Oracle Identity and Access Management.

3. Review Chapter 3, "Installing and Configuring Oracle Identity and Access Management (11.1.2)," for general installation and configuration information which applies to all Oracle Identity and Access Management 11g Release 2 (11.1.2) products.

4. Install, configure, verify, and get started with your Oracle Identity and Access Management component by referring to its specific chapter in this guide.

5. Use the appendixes in this guide as needed.

See Also: The "Related Documents" section in this guide’s Preface for a list of documents that provide additional information about Oracle Identity and Access Management components.

2

Preparing to Install 2-1

2

Preparing to Install

This chapter provides information you should review before installing Oracle Identity and Access Management 11g Release 2 (11.1.2).

This chapter discusses the following topics:

■ Reviewing System Requirements and Certification

■ Installing and Configuring Java Access Bridge (Windows Only)

■ Identifying Installation Directories

■ Determining Port Numbers

■ Locating Installation Log Files

■ Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only)

2.1 Reviewing System Requirements and CertificationBefore performing any installation, you should read the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the products you are installing.

■ Oracle Fusion Middleware System Requirements and Specifications

This document contains information related to hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches.

■ Oracle Fusion Middleware Supported System Configurations

This document contains information related to supported installation types, platforms, operating systems, databases, JDKs, and third-party products.

■ For interoperability and compatibility issues that may arise when installing, refer to Oracle Fusion Middleware Interoperability and Compatibility Guide.

This document contains important information regarding the ability of Oracle Fusion Middleware products to function with previous versions of other Oracle Fusion Middleware, Oracle, or third-party products. This information is applicable to both new Oracle Fusion Middleware users and existing users who are upgrading their existing environment.

Installing and Configuring Java Access Bridge (Windows Only)


2.2 Installing and Configuring Java Access Bridge (Windows Only)If you are installing Oracle Identity and Access Management on a Windows operating system, you have the option of installing and configuring Java Access Bridge for Section 508 Accessibility. This is only necessary if you require Section 508 Accessibility features:

1. Download Java Access Bridge from the following URL:

http://java.sun.com/javase/technologies/accessibility/accessbridge/

2. Install Java Access Bridge.

3. Copy access-bridge.jar and jaccess-1_4.jar from your installation location to the jre\lib\ext directory.

4. Copy the WindowsAccessBridge.dll, JavaAccessBridge.dll, and JAWTAccessBridge.dll files from your installation location to the jre\bin directory.

5. Copy the accessibility.properties file to the jre\lib directory.

2.3 Identifying Installation DirectoriesThis topic describes directories you must identify in most Oracle Identity and Access Management installations and configurations.

The common directories described in this section include the following:

■ Oracle Middleware Home Location

■ Oracle Home Directory

■ Oracle Common Directory

■ Oracle WebLogic Domain Directory

■ WebLogic Server Directory

For more information about the common directories and basic concepts of Oracle Fusion Middleware and Oracle WebLogic Server, refer to "Understanding Oracle Fusion Middleware Concepts" in the Oracle Fusion Middleware Administrator's Guide.

2.3.1 Oracle Middleware Home LocationIdentify the location of your Oracle Middleware Home directory. The Installer creates an Oracle Home directory for the component you are installing under the Oracle Middleware Home that you identify in this field. The Oracle Middleware Home directory is commonly referred to as MW_HOME.

2.3.2 Oracle Home DirectoryEnter a name for the Oracle Home directory of the component. The Installer uses the name you enter in this field to create the Oracle Home directory under the location you enter in the Oracle Middleware Home Location field.

The Installer installs the files required to host the component, such as binaries and libraries, in the Oracle Home directory. In examples, the Oracle home path is identified with the ORACLE_HOME variable.

Locating Installation Log Files


2.3.3 Oracle Common DirectoryThe Installer creates this directory under the location you enter in the Oracle Middleware Home Location field.

The Installer installs the Oracle Java Required Files (JRF) required to host the components, in the Oracle Common directory. There can be only one Oracle Common Home within each Oracle Middleware Home. In examples, the Oracle Common directory is identified with the oracle_common variable.

2.3.4 Oracle WebLogic Domain DirectoryA WebLogic domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain. Usually, you configure a domain to include additional WebLogic Server instances called Managed Servers. You deploy Java components, such as Web applications, EJBs, and Web services, and other resources to the Managed Servers and use the Administration Server for configuration and management purposes only.

Managed Servers in a domain can be grouped together into a cluster.

The directory structure of a domain is separate from the directory structure of the WebLogic Server home. It can reside anywhere; it need not be within the Middleware home directory. A domain is a peer of an Oracle instance.

By default, the Oracle Fusion Middleware Configuration Wizard creates a domain in a directory named user_projects under your Middleware Home(MW_HOME).

2.3.5 WebLogic Server DirectoryEnter the path to your Oracle WebLogic Server Home directory. This directory contains the files required to host the Oracle WebLogic Server. In examples, it is identified with the WL_HOME variable.

2.4 Determining Port NumbersIf you want to install an Oracle Identity and Access Management 11g Release 2 (11.1.2) component against an existing Oracle Identity and Access Management component, you may need to identify the ports for the existing component. For example, if you want to install Oracle Identity Manager against an existing Oracle Internet Directory instance, then you must identify its port when you install Oracle Identity Manager.

2.5 Locating Installation Log FilesThe Installer writes log files to the ORACLE_INVENTORY_LOCATION/logs directory on UNIX systems and to the ORACLE_INVENTORY_LOCATION\logs directory on Windows systems.

On UNIX systems, if you do not know the location of your Oracle Inventory directory, you can find it in the ORACLE_HOME/oraInst.loc file.

Note: Avoid using spaces in the directory names, including Oracle Home. Spaces in such directory names are not supported.

Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control


On Microsoft Windows systems, the default location for the inventory directory is C:\Program Files\Oracle\Inventory\logs.

The following install log files are written to the log directory:

■ installDATE-TIME_STAMP.log

■ installDATE-TIME_STAMP.out

■ installActionsDATE-TIME_STAMP.log

■ installProfileDATE-TIME_STAMP.log

■ oraInstallDATE-TIME_STAMP.err

■ oraInstallDATE-TIME_STAMP.log

2.6 Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only)

Read this section only if the user name for the WebLogic Administrator for the domain is not weblogic. This task is required only if you are using Oracle Identity Manager.

If your WebLogic administrator user name is not weblogic, complete the following steps:

1. Ensure that the Oracle Identity Manager Managed server is up and running.

2. Log in to Oracle Enterprise Manager Fusion Middleware Control using your WebLogic Server administrator credentials.

3. Click Identity and Access > oim > oim(11.1.1.2.0). Right-click and select System MBean Browser. The System MBean Browser page is displayed.

4. Under Application Defined MBeans, select oracle.iam > Server:oim_server1 > Application: oim > XMLConfig > config > >XMLConfig.SOAConfig > SOAConfig.

5. View the attribute username. By default, the value of the attribute is weblogic. Change this value to your WebLogic administrator user name.

6. Click Apply. Exit Oracle Enterprise Manager Fusion Middleware Control.

7. On the command line, use the cd command to move from your present working directory to the <IAM_Home>/common/bin directory. IAM_Home is the Oracle Identity and Access Management home directory for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

8. Launch the WebLogic Scripting Tool (WLST) interface as follows:

On UNIX: Run ./wlst.sh on the command line.

On Windows: Run wlst.cmd.

At the WLST command prompt (wls:/offline>), type the following:

connect()

You are prompted to enter the WebLogic Administration Server user name, password, and URL. For more information about using the WLST interface, see the topic "Using the WebLogic Scripting Tool" in the guide Oracle Fusion Middleware Oracle WebLogic Scripting Tool.



a. Run the deleteCred WLST command:

deleteCred(map="oim", key="SOAAdminPassword");

b. Run the createCred WLST command, and replace the ADMIN_PASSWORD with your WebLogic administrator password:

createCred(map="oim", key="SOAAdminPassword", user="xelsysadm",password="<ADMIN_PASSWORD>");

c. Run the following WLST command to verify the values:

listCred(map="oim", key="SOAAdminPassword");

d. Type exit() to exit the WLST command shell.

9. Open the Oracle Identity Manager Administration Console, and log in as user xelsysadm.

10. Create a new user for the user name of your WebLogic administrator.

11. Search for the Administrators role. Open the role details, and click the Members tab.

12. Remove all the existing members of the Administrators role.

13. Add the newly created user (the one with your WebLogic administrator user name) as a member of the Administrators role.

14. Restart Oracle Identity Manager Managed Server, as described in Appendix C.1, "Starting the Stack"

Part IIPart IIInstalling and Configuring Oracle Identity

and Access Management (11.1.2)

Part II provides information about installing and configuring the following Oracle Identity and Access Management products:








Additionally, Part II provides information about installing and configuring Oracle HTTP Server 11g Webgate for Oracle Access Manager, and migrating from Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager.

Part II contains the following chapters:

■ Chapter 3, "Installing and Configuring Oracle Identity and Access Management (11.1.2)"

■ Chapter 4, "Configuring Oracle Identity Navigator"

■ Chapter 5, "Configuring Oracle Identity Manager"

■ Chapter 6, "Configuring Oracle Access Management"

■ Chapter 7, "Configuring Oracle Adaptive Access Manager"

■ Chapter 8, "Installing and Configuring Oracle Entitlements Server"

■ Chapter 9, "Configuring Oracle Privileged Account Manager"

■ Chapter 10, "Configuring Oracle Access Management Mobile and Social"

■ Chapter 11, "Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager"

■ Chapter 12, "Installing and Configuring Oracle HTTP Server 11g Webgate for Oracle Access Manager"

■ Chapter 13, "Lifecycle Management"

3

Installing and Configuring Oracle Identity and Access Management (11.1.2) 3-1

3 Installing and Configuring Oracle Identityand Access Management (11.1.2)

This chapter includes the following topics:

■ Installation and Configuration Roadmap

■ Installing and Configuring Oracle Identity and Access Management (11.1.2)

3.1 Installation and Configuration RoadmapTable 3–1 lists the general installation and configuration tasks that apply to Oracle Identity and Access Management 11g Release 2 (11.1.2) products.

Table 3–1 Installation and Configuration Flow for Oracle Identity and Access Management

No. Task Description

1 Review installation concepts in the Installation Planning Guide.

Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment.

2 Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing.

For more information, see Section 2.1, "Reviewing System Requirements and Certification".

3 Obtain the Oracle Fusion Middleware Software.

For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software"

4 Review the Database requirements. For more information, see Section 3.2.2, "Database Requirements".

5 Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load the appropriate schemas for Oracle Identity and Access Management products.

For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

6 Review WebLogic Server and Middleware Home requirements.

For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements".

7 For Oracle Identity Manager users only:

Install the latest version of Oracle SOA Suite 11g (11.1.1.6.0).

For more information, see Section 3.2.5, "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)".

8 Start the Oracle Identity and Access Management Installer.

For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer".

Installing and Configuring Oracle Identity and Access Management (11.1.2)


3.2 Installing and Configuring Oracle Identity and Access Management (11.1.2)

Follow the instructions in this section to install and configure the latest Oracle Identity and Access Management software.

Installing and configuring the latest version of Oracle Identity and Access Management 11g components involves the following steps:

■ Obtaining the Oracle Fusion Middleware Software

■ Database Requirements

■ Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)

■ WebLogic Server and Middleware Home Requirements

■ Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)

■ Starting the Oracle Identity and Access Management Installer

■ Installing Oracle Identity and Access Management (11.1.2)

■ Configuring Oracle Identity and Access Management (11.1.2) Products

■ Configuring Database Security Store for an Oracle Identity and Access Management Domain

■ Starting the Servers

3.2.1 Obtaining the Oracle Fusion Middleware SoftwareFor installing Oracle Identity and Access Management, you must obtain the following software:

■ Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)

■ Oracle Database

■ Oracle Repository Creation Utility

9 Install the Oracle Identity and Access Management 11g software.

For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

10 Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain.

For more information, see Section 3.2.8, "Configuring Oracle Identity and Access Management (11.1.2) Products".

Note: If you are using Oracle Identity Manager, you must perform additional configuration after configuring Oracle Identity Manager in a WebLogic domain.

For more information, see Chapter 5, "Configuring Oracle Identity Manager".

11 Configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

12 Start the servers. You must start the Administration Server and all Managed Servers. For more information, see Section C.1, "Starting the Stack".

Table 3–1 (Cont.) Installation and Configuration Flow for Oracle Identity and Access Management




■ Oracle Identity and Access Management Suite

■ Oracle SOA Suite 11.1.1.6.0 (required for Oracle Identity Manager only)

For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

3.2.2 Database RequirementsSome Oracle Identity and Access Management components require an Oracle Database. Ensure that you have an Oracle Database installed on your system before installing Oracle Identity and Access Management. The database must be up and running to install the relevant Oracle Identity and Access Management component. The database does not have to be on the same system where you are installing the Oracle Identity and Access Management component.

The following database versions are supported:

■ 10.2.0.4 and higher



3.2.2.1 Oracle Database 11.1.0.7 Patch Requirements for Oracle Identity ManagerTo identify the patches required for Oracle Identity Manager 11.1.2 configurations that use Oracle Database 11.1.0.7, refer to the Oracle Identity Manager section of the 11g Release 2 Oracle Fusion Middleware Release Notes.

3.2.3 Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)

You must create and load the appropriate Oracle Fusion Middleware schemas in the database using RCU before installing and configuring the following Oracle Identity and Access Management components:







For more information on obtaining Oracle Fusion Middleware Repository Creation Utility, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

Note: For information about RCU requirements for Oracle Databases, see "RCU Requirements for Oracle Databases" topic in the Oracle Fusion Middleware System Requirements and Specifications document.



Before running RCU, ensure that you have the database connection string, port, administrator credentials, and service name ready.

When you run RCU, create and load only the following schemas for the Oracle Identity and Access Management component you are installing—do not select any other schema available in RCU:

■ For Oracle Identity Manager, select the Identity Management - Oracle Identity Manager schema. When you select the Identity Management - Oracle Identity Manager schema, the following schemas are also selected, by default:

– SOA Infrastructure

– User Messaging Service

– AS Common Schemas - Oracle Platform Security Services

– AS Common Schemas - Metadata Services

■ For Oracle Adaptive Access Manager, select the Identity Management - Oracle Adaptive Access Manager schema. When you select the Identity Management - Oracle Adaptive Access Manager schema, the following schemas are also selected, by default:



– AS Common Schemas - Audit Services

For Oracle Adaptive Access Manager with partition schema support, select the Identity Management - Oracle Adaptive Access Manager (Partition Supp...) schema. When you select the Identity Management - Oracle Adaptive Access Manager (Partition Supp...) schema, the following schemas are also selected, by default:



Notes:

■ RCU is available only on Linux and Windows platforms. Use the Linux RCU to create schemas on supported UNIX databases. Use the Windows RCU to create schemas on supported Windows databases. After you extract the contents of the rcuHome.zip file to a directory, you can see the executable file rcu in the BIN directory.

■ For information on launching and running RCU, see the "Launching RCU with a Variety of Methods" and "Running Oracle Fusion Middleware Repository Creation Utility (RCU)" topics in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

■ For information on creating schemas, see the "Creating Schemas" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

■ For information about troubleshooting RCU, see the "Troubleshooting Repository Creation Utility" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.




■ For Oracle Access Management, select the Identity Management - Oracle Access Manager schema. When you select the Identity Management - Oracle Access Manager schema, the following schemas are also selected, by default:




■ For Oracle Entitlements Server, select the AS Common Schemas - Oracle Platform Security Services schema. By default, the AS Common Schemas - Metadata Services schema is also selected.

■ For Oracle Privileged Account Manager, select the Identity Management - Oracle Privileged Account Manager schema. When you select the Identity Management - Oracle Privileged Account Manager schema, the following schemas are also selected, by default:



■ For Oracle Identity Navigator, select the AS Common Schemas - Oracle Platform Security Services schema. By default, the AS Common Schemas - Metadata Services schema is also selected.

3.2.4 WebLogic Server and Middleware Home RequirementsBefore you can install Oracle Identity and Access Management 11g Release 2 (11.1.2) components, you must ensure that you have installed Oracle WebLogic Server 11g

Note: For information about Oracle Adaptive Access Manager schema partitions, see Appendix J, "Oracle Adaptive Access Manager Partition Schema Reference".

Note: If you want to use Transparent Data Encryption (TDE) for Oracle Access Management, you must set up TDE for Oracle Access Management before creating the Oracle Access Management schema. For more information, see Section 6.4, "Optional: Setting Up TDE for Oracle Access Management".

Note: When you create a schema, be sure to remember the schema owner and password that is shown in RCU. You must specify the schema owner and password information when you configure the Oracle Identity and Access Management products.

If you are creating schemas on databases with Oracle Database Vault installed, note that statements, such as CREATE USER, ALTER USER, DROP USER, CREATE PROFILE, ALTER PROFILE, and DROP PROFILE can only be issued by a user with the DV_ACCTMGR role. SYSDBA can issue these statements by modifying the Can Maintain Accounts/Profiles rule set only if it is allowed.



Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5), and created a Middleware Home directory.

For more information, see "Install Oracle WebLogic Server" in Oracle Fusion Middleware Installation Planning Guide. In addition, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server for complete information about installing Oracle WebLogic Server.

3.2.5 Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)If you are installing Oracle Identity Manager, you must install Oracle SOA Suite 11.1.1.6.0. Note that only Oracle Identity Manager requires Oracle SOA Suite. This step is required because Oracle Identity Manager uses process workflows in Oracle SOA Suite to manage request approvals.

For more information about installing Oracle SOA Suite 11.1.1.6.0, see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

3.2.6 Starting the Oracle Identity and Access Management InstallerThis topic explains how to start the Oracle Identity and Access Management Installer.

Note: On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, JDK is not installed with Oracle WebLogic Server. You must install JDK separately, before installing Oracle WebLogic Server.

Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

Note: By default, WebLogic domains are created in a directory named domains located in the user_projects directory under your Middleware Home. After you configure any of the Oracle Identity and Access Management products in a WebLogic administration domain, a new directory for the domain is created in the domains directory. In addition, a directory named applications is created in the user_projects directory. This applications directory contains the applications deployed in the domain.

Note: If you have already created a Middleware Home before installing Oracle Identity and Access Management components, do not create a new Middleware Home again. You must use the same Middleware Home for installing Oracle SOA Suite.

Notes:

■ If you are installing on an IBM AIX operating system, you must run the rootpre.sh script from the Disk1 directory before you start the installer.

■ Starting the Installer as the root user is not supported.



Start the Installer by executing one of the following commands:

UNIX: <full path to the runInstaller directory>/runInstaller -jreLoc <full path to the JRE directory>

Windows: <full path to the setup.exe directory>\setup.exe -jreLoc <full path to the JRE directory>

3.2.7 Installing Oracle Identity and Access Management (11.1.2)This topic describes how to install the Oracle Identity and Access Management 11g software, which includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Identity Navigator, Oracle Entitlements Server, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

It includes the following sections:

■ Products Installed

■ Dependencies

■ Procedure

■ Understanding the Directory Structure After Installation

3.2.7.1 Products InstalledPerforming the installation in this section installs the following products:



Note: The installer prompts you to enter the absolute path of the JRE that is installed on your system. When you install Oracle WebLogic Server, the jrockit_1.6.0_29 directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JDK is located in D:\oracle\Middleware\jrockit_1.6.0_29, then launch the installer from the command prompt as follows:

D:\setup.exe -jreLoc D:\oracle\Middleware\jrockit_1.6.0_29\jre

If you do not specify the -jreLoc option on the command line when using the Oracle JRockit JDK, the following warning message is displayed:

-XX:MaxPermSize=512m is not a valid VM option. Ignoring

This warning message does not affect the installation. You can continue with the installation.

On 64 bit platforms, when you install Oracle WebLogic Server using the generic jar file, the jrockit_1.6.0_29 directory will not be created under your Middleware Home. You must enter the absolute path of the JRE folder from where your JDK is located.








Note: Oracle Identity and Access Management 11g Release 2 (11.1.2) contains Oracle Access Management which includes the following services:

■ Oracle Access Manager

■ Oracle Access Management Security Token Service

■ Oracle Access Management Identity Federation


For more information about these services, see "Oracle Product Introduction" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Note: For Oracle Identity and Access Management 11.1.2, Oracle Adaptive Access Manager includes two components

■ Oracle Adaptive Access Manager (Online)

■ Oracle Adaptive Access Manager (Offline)

Note: When you are installing Oracle Identity and Access Management, only the Administration Server of Oracle Entitlements Server is installed.

To install and configure Oracle Entitlements Server Client, see Section 8.6, "Installing Oracle Entitlements Server Client".

Note: For an introduction to the Oracle Privileged Account Manager, see "Understanding Oracle Privileged Account Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.



3.2.7.2 DependenciesThe installation in this section depends on the following:

■ Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)

■ Oracle Database and any required patches

■ Oracle SOA Suite 11.1.1.6.0 (required for Oracle Identity Manager only)

■ JDK (Java SE 6 Update 24 or higher) or JRockit

3.2.7.3 ProcedureComplete the following steps to install the Oracle Identity and Access Management suite that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Identity Navigator, Oracle Entitlements Server, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social:

Notes:

■ For an introduction to the Oracle Access Management Mobile and Social, see "Understanding Mobile and Social" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

■ Oracle Access Management Mobile and Social standalone template does not use the database security store. If Oracle Access Management Mobile and Social is deployed standalone in a domain, and if you want to extend that domain to include other Oracle Identity and Access Management 11gR2 components, you must complete the following additional steps:

1. Create an Oracle Platform Security Services schema using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

2. Extend the Oracle Access Management Mobile and Social domain with Oracle Platform Security Service 11.1.1.0 [IAM_Home] template.

For information on extending WebLogic Server domains, see "Extending WebLogic Domains" chapter in the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard guide.

The Oracle Access Management Mobile and Social domain can now be extended to include other Oracle Identity and Access Management 11gR2 components.



1. Start your installation by performing all the steps in Section 3.2.6, "Starting the Oracle Identity and Access Management Installer". After you complete those steps, the Welcome screen appears.

2. Click Next on the Welcome screen. The Install Software Updates screen appears. Select whether or not you want to search for updates. Click Next.

3. The Prerequisite Checks screen appears. If all prerequisite checks pass inspection, click Next. The Specify Installation Location screen appears.

4. On the Specify Installation Location screen, enter the path to the Oracle Middleware Home that was created when you installed Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5) on your system.

5. In the Oracle Home Directory field, enter a name for the Oracle Home folder that will be created under your Middleware Home. This directory is also referred to as IAM_Home in this book.

Click Next. The Installation Summary screen appears.

6. The Installation Summary screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing Oracle

Note: If you do not specify a valid Middleware Home directory on the Specify Installation Location screen, the Installer displays a message and prompts you to confirm whether you want to proceed with the installation of only Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager. These two components of Oracle Identity Manager do not require a Middleware Home directory.

If you want to install only Oracle Identity Manager Design Console or Remote Manager, you do not need to install Oracle WebLogic Server or create a Middleware Home directory on the machine where Design Console or Remote Manager is being configured.

Before using Oracle Identity Manager Design Console or Remote Manager, you must configure Oracle Identity Manager Server on the machine where the Administration Server is running. When configuring Design Console or Remote Manager on a different machine, you can specify the Oracle Identity Manager Server host and URL information.

Note: The name that you provide for the Oracle Home for installing the Oracle Identity and Access Management suite should not be same as the Oracle Home name given for the Oracle Identity Management suite.

Oracle Identity Management 11g Release 1 is part of Oracle Fusion Middleware and includes components like Oracle Internet Directory, Oracle Virtual Directory, Oracle Directory Services Manager, Oracle Directory Integration Platform, and Oracle Identity Federation.



Identity and Access Management, click Install. The Installation Progress screen appears. Click Next.

7. The Installation Complete screen appears. On the Installation Complete screen, click Finish.

This installation process copies the Identity Management software to your system and creates an IAM_Home directory under your Middleware Home.

After installing the Oracle Identity and Access Management software, you must proceed to Section 3.2.8, "Configuring Oracle Identity and Access Management (11.1.2) Products," to configure Oracle Identity and Access Management products in a new or existing WebLogic domain.

3.2.7.4 Understanding the Directory Structure After InstallationThis section describes the directory structure after installation of Oracle WebLogic Server and Oracle Identity and Access Management.

After you install the Oracle Identity and Access Management suite, an Oracle Home directory for Oracle Identity and Access Management, such as Oracle_IDM1, is created under your Middleware Home. This home directory is also referred to as IAM_Home in this guide.

For more information about identifying installation directories, see Section 2.3, "Identifying Installation Directories".

3.2.8 Configuring Oracle Identity and Access Management (11.1.2) ProductsAfter Oracle Identity and Access Management 11g is installed, you are ready to configure the WebLogic Server Administration Domain for Oracle Identity and Access Management components. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain.

When you configure an Oracle Identity and Access Management 11.1.2 component, you can choose one of the following configuration options:

■ Create a New Domain

■ Extend an Existing Domain

You can use the Oracle Fusion Middleware Configuration Wizard to create a WebLogic domain or extend an existing domain.

Note: If you cancel or abort when the installation is in progress, you must manually delete the <IAM_Home> directory before you can reinstall the Oracle Identity and Access Management software.

To invoke online help at any stage of the installation process, click the Help button on the installation wizard screens.

Note: You should not extend the Oracle Identity Management 11g Release 1 (11.1.1.6.0) domain to support Oracle Identity and Access Management 11g Release 2 (11.1.2) products.



Create a New DomainSelect the Create a new WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to create a new WebLogic Server domain.

Extend an Existing DomainSelect the Extend an existing WebLogic domain option on the Welcome screen in the Oracle Fusion Middleware Configuration Wizard to add Oracle Identity and Access Management components in an existing Oracle WebLogic Server administration domain.

For component-specific configuration information about Oracle Identity and Access Management products, see the following chapters:

■ Chapter 4, "Configuring Oracle Identity Navigator"

■ Chapter 5, "Configuring Oracle Identity Manager"

■ Chapter 6, "Configuring Oracle Access Management"

■ Chapter 7, "Configuring Oracle Adaptive Access Manager"

■ Chapter 8, "Installing and Configuring Oracle Entitlements Server,"

■ Chapter 9, "Configuring Oracle Privileged Account Manager"

■ Chapter 10, "Configuring Oracle Access Management Mobile and Social"

If you are configuring Oracle Identity Manager, you must run the Oracle Identity Manager Configuration Wizard after configuring a domain, to configure Oracle Identity Manager Server, Oracle Identity Manager Design Console, and Oracle Identity Manager Remote Manager as described in Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard". For more information, see the following sections:

■ Section 5.7, "Configuring Oracle Identity Manager Server"

■ Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console"

■ Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager"

3.2.9 Configuring Database Security Store for an Oracle Identity and Access Management Domain

This section discusses the following topics:

■ Before Configuring Database Security Store

■ Configuring the Database Security Store

See: The "Understanding Oracle WebLogic Server Domains" chapter in the Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server guide for more information about Oracle WebLogic Server administration domains.

In addition, see the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard guide for complete information about how to use the Configuration Wizard to create or extend WebLogic Server domains. This guide also provides the Oracle Fusion Middleware Configuration Wizard Screens.



3.2.9.1 OverviewYou must run the configureSecurityStore.py script to configure the Database Security Store as it is the only security store type supported by the Oracle Identity & Access Management 11g Release 2 (11.1.2).

The configureSecurityStore.py script is located in the <IAM_HOME>\common\tools directory. You can use the -h option for help information about using the script. Note that not all arguments will apply to configuring the Database Security Store.

For example:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -h

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -h

Table 3–2 describes the parameters you that you may specify on the command line.

Table 3–2 Database Security Store Configuration Parameters

Parameter Description

-d domaindir Location of the directory containing the domain.

-m mode create- Use create if you want to create a new database security store.

join- Use join if you want to use an existing database security store for the domain.

validate- Use validate to verify whether the Security Store has been configured correctly. This command validates diagnostics data created during initial creation of the Security Store.

validate_fix- Use validate_fix to fix diagnostics data present in the Security Store.

fixjse- Use fixjse to update the domain's Database Security Store credentials used for access by JSE tools.

-c configmode The configuration mode of the domain. When configuring Database Security Store this value must be specified as IAM.

-p password The OPSS schema password.

-k keyfilepath The directory containing the encryption key file ewallet.p12. If -m join is specified, this option is mandatory.

-w keyfilepassword The password used when the domain’s key file was generated. If -m join is specified, this option is mandatory.

-u username The user name of the OPSS schema. If -m fixjse is specified, this option is mandatory.



3.2.9.2 Before Configuring Database Security StoreEach Oracle Identity and Access Management 11g Release 2 (11.1.2) domain must be configured to have a Database Security Store. Before you configure the Database Security Store for an Oracle Identity and Access Management 11g Release 2 (11.1.2) domain, you must identify the products to be configured in a single-domain scenario or in a multiple-domain scenario.

3.2.9.3 Configuring the Database Security StoreFollowing configureSecurityStore.py options are available for configuring the domain to use the Database Security Store:

■ -m create

■ -m join

Configuring the Database Security Store Using Create OptionTo configure a domain to use a database security store using the -m create option, you must run the configureSecurityStore.py script as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -c IAM -p welcome1 -m create

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m create

For example:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -c IAM -p welcome1 -m create

Configuring the Database Security Store Using the Join OptionTo configure a domain to use the database security store using the -m join option, you must first export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with

Note: Irrespective of the number of domains in a logical Oracle Identity and Access Management 11g Release 2 (11.1.2) deployment (a logical deployment is a collection of Oracle Identity and Access Management products running in one or more domains and using a single database to hold product schemas), all domains share the same Database Security Store and use the same domain encryption key.

The Database Security Store is created at the time of creating the first domain, and then each new domain created is joined with the Database Security Store already created.



the database security store, and then run the configureSecurityStore.py script as follows:

On Windows:

1. Export encryption keys from a domain already configured to work with the Database Security Store as follows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)

2. Run the configureSecurityStore.py script with -m join option.

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m join -k <keyfilepath> -w <keyfilepassword>

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_HOME>\user_projects\domains\base_domain\config\fmwconfig\jps-config.xml", keyFilePath="myDir" , keyFilePassword="password")

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain1 -c IAM -p welcome1 -m join -k myDir -w password

On UNIX:

1. Export encryption keys from a domain already configured to work with the Database Security Store as follows:

<MW_HOME>/oracle_common/common/bin/wlst.cmd exportEncryptionKey(jpsConfigFile=<jpsConfigFile>, keyFilePath=<keyFilePath>, keyFilePassword=<keyFilePassword>)

2. Run the configureSecurityStore.py script with -m join option.

Note: Exporting domain encryption key from a domain already configured to work with the Database Security Store is done via the WLST command:

exportEncryptionKey(jpsConfigFile=<jpsConfigFile>,keyFilePath=<keyFilePath>,keyFilePassword=<keyFilePassword>)

where:

<jpsConfigFile> - is the absolute location of the file jps-config.xml in the domain from which the encryption key is being exported.

<keyFilePath> - is the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by keyFilePassword.

<keyFilePassword> - is the password to secure the file ewallet.p12; note that this same password must be used when importing that file.



<MW_HOME>/oracle_common/common/bin/wlst.cmd <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m join -k <keyfilepath> -w <keyfilepassword>

For example:

<MW_HOME>/oracle_common/common/bin/wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_HOME>/user_projects/domains/base_domain/config/fmwconfig/jps-config.xml", keyFilePath="myDir" , keyFilePassword="password")

<MW_HOME>/oracle_common/common/bin/wlst.cmd <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain1 -c IAM -p welcome1 -m join -k myDir -w password

Validating the Database Security Store ConfigurationTo validate whether the security store has been created or joined correctly, run the configureSecurityStore.py script with -m validate option, as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m validate

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -m validate

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m validate

For example:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -m validate

3.2.9.4 Example Scenarios for Configuring the Database Security StoreConsider the following example scenarios:

■ Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain

■ Example Scenario for Oracle Identity and Access Management Products in Different Domains

3.2.9.4.1 Example Scenario for One or More Oracle Identity and Access Management Products in the Same Domain

Note: In a single-domain scenario, the command to create the Database Security Store is executed once after the domain is created but before the domain is started for the first time.



Scenario 1: Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager in the same WebLogic Administration Domain Sharing the same Database Security Store

To achieve this, you must complete the following tasks:

1. Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 5–1, " Installation and Configuration Flow for Oracle Identity Manager".

After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oim_dom -c IAM -p welcome1 -m create

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oim_dom -c IAM -p welcome1 -m create

2. Extend the Oracle Identity Manager domain (oim_dom) to include Oracle Access Management and Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain".

Oracle Access Management and Oracle Adaptive Access Manager are added to the Oracle Identity Manager domain (oim_dom), and they share the same Database Security Store used by the Oracle Identity Manager domain.

3.2.9.4.2 Example Scenario for Oracle Identity and Access Management Products in Different Domains

■ Scenario 1: Oracle Identity Manager and Oracle Access Management in different WebLogic Administration Domains Sharing the same Database Security Store

To achieve this, you must complete the following tasks:

1. Create a new WebLogic domain for Oracle Identity Manager and SOA (for example, oim_dom) by completing the steps described in Table 5–1, " Installation and Configuration Flow for Oracle Identity Manager".

After creating a new WebLogic domain for Oracle Identity Manager and SOA, run the configureSecurityStore.py script to configure the Database Security Store as follows:

On Windows:

Note: In a multiple-domain scenario, the command to create the Database Security Store is executed once after the first domain is created but before the domain is started for the first time.

For each subsequent domain, the command to join the existing Database Security Store is executed once after the domain is created but before the domain is started for the first time.



<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oim_dom -c IAM -p welcome1 -m create

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oim_dom -c IAM -p welcome1 -m create

2. Create a new WebLogic domain for Oracle Access Management (for example oam_dom) by completing the steps described in Table 6–1, " Installation and Configuration Flow for Oracle Access Management".

After creating a new WebLogic domain for Oracle Access Management, export the domain encryption key from the Oracle Identity Manager/SOA domain, and run the configureSecurityStore.py script to configure the Database Security Store as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd exportEncryptionKey(jpsConfigFile="<MW_Home>\user_projects\domains\oim_dom\config\fmwconfig\jps-config.xml", keyFilePath="myDir" ,keyFilePassword="password")

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\oam_dom -c IAM -p welcome1 -m join -k myDir -w password

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh exportEncryptionKey(jpsConfigFile="<MW_Home>/user_projects/domains/oim_dom/config/fmwconfig/jps-config.xml", keyFilePath="myDir" ,keyFilePassword="password")

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/oam_dom -c IAM -p welcome1 -m join -k myDir -w password

■ Scenario 2: Extend the Oracle Access Management Domain previously joined to the Database Security Store to include Oracle Adaptive Access Manager

To achieve this, extend the Oracle Access Management domain (oam_dom) to include Oracle Adaptive Access Manager. For more information, see "Extend an Existing Domain".

Oracle Adaptive Access Manager is added to the Oracle Access Management domain (oam_dom), and they both share the same Database Security Store used by the Oracle Access Manager domain.

3.2.10 Starting the ServersAfter installing and configuring Oracle Identity and Access Management, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Section C.1, "Starting the Stack".



Note: The WebLogic domain will not start unless the Database Security Store has already been configured.

4

Configuring Oracle Identity Navigator 4-1

4Configuring Oracle Identity Navigator

This chapter explains how to configure Oracle Identity Navigator. It includes the following topics:

■ Important Note Before You Begin

■ Installation and Configuration Roadmap for Oracle Identity Navigator

■ Configuring Oracle Identity Navigator in a New WebLogic Domain


■ Verifying Oracle Identity Navigator

■ Getting Started with Oracle Identity Navigator After Installation

4.1 Important Note Before You BeginBefore you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this guide, note that IAM_Home is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.

4.2 Installation and Configuration Roadmap for Oracle Identity NavigatorTable 4–1 lists the tasks for installing and configuring Oracle Identity Navigator.

Table 4–1 Installation and Configuration Flow for Oracle Identity Navigator









Configuring Oracle Identity Navigator in a New WebLogic Domain


4.3 Configuring Oracle Identity Navigator in a New WebLogic DomainThis topic describes how to configure only Oracle Identity Navigator in a new WebLogic administration domain. It includes the following sections:

■ Appropriate Deployment Environment

■ Components Deployed

■ Dependencies

■ Procedure

4.3.1 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to configure Oracle Identity Navigator with Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager in a new WebLogic domain and then run the Oracle Identity Navigator discovery feature. This feature populates links to the product consoles for Oracle Identity Manager, Oracle Access Management, and Oracle Adaptive Access Manager. You can then access those product consoles from within the Oracle Identity Navigator interface, without having to remember the individual console URLs.








Oracle Identity Navigator is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.



For more information, see Section 4.3, "Configuring Oracle Identity Navigator in a New WebLogic Domain".


11 Start the servers. You must start the WebLogic Administration Server. For more information, see Section 4.4, "Starting the Servers".

12 Complete the post-installation tasks. Complete the following post-installation tasks:

■ Section 4.5, "Verifying Oracle Identity Navigator"

■ Section 4.6, "Getting Started with Oracle Identity Navigator After Installation"

Table 4–1 (Cont.) Installation and Configuration Flow for Oracle Identity Navigator


Configuring Oracle Identity Navigator in a New WebLogic Domain


4.3.2 Components DeployedPerforming the configuration in this section deploys the Oracle Identity Navigator application on a new WebLogic Administration Server.

4.3.3 DependenciesThe configuration in this section depends on the following:

■ Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5).

■ Installation of the Oracle Identity and Access Management 11g software.

■ Database schemas for Oracle Identity Navigator. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

4.3.4 ProcedurePerform the following steps to configure only Oracle Identity Navigator in a new WebLogic administration domain:

1. Start the Oracle Fusion Middleware Configuration Wizard by running the <IAM_Home>/common/bin/config.sh script (on UNIX), or <IAM_Home>\common\bin\config.cmd (on Windows).

The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.

2. On the Welcome screen, select Create a new WebLogic domain, and click Next. The Select Domain Source screen appears.

3. On the Select Domain Source screen ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Identity Navigator - 11.1.2.0.0 [IAM_Home], and click Next. The Specify Domain Name and Location screen appears.

4. Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.

5. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.

Note: IAM_Home is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

Note: When you select the Oracle Identity Navigator - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:

■ Oracle Platform Security Service 11.1.1.0 [IAM_Home]

■ Oracle JRF 11.1.1.0 [oracle_common]

Starting the Servers


6. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen is displayed.

7. On the Configure JDBC Component Schema screen, select a component schema, such as the OPSS Schema that you want to modify.

You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, click Next. The Select Optional Configuration screen appears.

8. On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.

9. Optional: Configure the following Administration Server parameters:

■ Name

■ Listen address

■ Listen port

■ SSL listen port

■ SSL enabled or disabled

10. Optional: Assign the Administration Server to a machine.

11. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

12. Optional: Configure RDBMS Security Store, as required.

13. On the Configuration Summary screen, you can view summaries of your configuration for deployments, application, and service. Review the domain configuration, and click Create to start creating the domain.

A new WebLogic domain to support Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

4.4 Starting the ServersAfter installing and configuring Oracle Identity Navigator, you must start the Oracle WebLogic Administration Server, as described in Appendix C.1, "Starting the Stack".

4.5 Verifying Oracle Identity NavigatorTo verify the installation of Oracle Identity Navigator, complete the following steps:

1. Log in to the Administration Console for Oracle Identity Navigator using the following URL:

Note: After configuring Oracle Identity Navigator in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

Verifying Oracle Identity Navigator


http://<adminserver-host>:<adminserver-port>/oinav/faces/idmNag.jspx

The Oracle Identity Navigator dashboard and the resource catalog are displayed.

2. Click the Customize link on the upper right corner of the screen to switch to the Edit mode.

3. Click the Add Content button on the page. A resource catalog pops up.

4. In the pop-up dialog, click the Open link for the folder IDM Product Launcher. The Launcher task flow pops up.

5. In the pop-up dialog, click the Add link. Verify that the Launcher portlet is added to the page content. Continue to add News task flows to the page, without closing the pop-up dialog. Click the up arrow at the upper left corner. The top folder layout is displayed again. Click the Open link for the folder News. The News and Announcements task flow pops up.

6. In the News and Announcements pop-up dialog, click the Add link. Verify that the Report portlet is added to the page content. Continue to add Reports task flows to the page, without closing the pop-up dialog. Click the up arrow at the upper left corner. The top folder layout is displayed again. Click the Open link for the folder My Reports. Click the Add link and the Close button (X). All the three workflows are added to the page content.

7. Change the default layout, if necessary, by clicking the Pencil icon located on the upper right area of the screen.

8. To exit the Edit mode, click the Close button.

If the task flows are properly added to the page content, the screen displays the task flow content.

9. Test the Product Registration functionality as follows:

a. Create, edit, or delete the product information by clicking the Administration tab.

b. To add a new product, click the Create image icon in the Product Registration section. The New Product Registration dialog pops up.

c. Enter the relevant information in this dialog, and the new product registration is updated accordingly. The new product registration data is updated on the Launcher portlet after you click the Dashboard tab.

d. Click the product link and ensure that a new browser window or tab opens with the registered product URL.

10. Test the News functionality as follows:

a. Click the refresh icon to update the RSS feed content.

b. Click the news item link to open the source of content in a new browser window or tab.

11. Test the Reports functionality as follows:

a. Add a report by clicking the Add icon. The Add Report dialog pops up.

b. In this dialog, select a report to add, and click the Add Report button. Verify that the report is added.

c. Run a report by clicking the report icon. The report opens in a new browser window or tab.

Getting Started with Oracle Identity Navigator After Installation


4.6 Getting Started with Oracle Identity Navigator After InstallationAfter installing Oracle Identity Navigator, refer to the "Using Identity Navigator" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.

5

Configuring Oracle Identity Manager 5-1

5 Configuring Oracle Identity Manager

This chapter explains how to configure Oracle Identity Manager.

It includes the following topics:

■ Important Notes Before You Start Configuring Oracle Identity Manager

■ Installation and Configuration Roadmap for Oracle Identity Manager

■ Creating a new WebLogic Domain for Oracle Identity Manager and SOA


■ Overview of Oracle Identity Manager Configuration

■ Starting the Oracle Identity Manager 11g Configuration Wizard

■ Configuring Oracle Identity Manager Server

■ Optional: Configuring Oracle Identity Manager Design Console

■ Optional: Configuring Oracle Identity Manager Remote Manager

■ Verifying the Oracle Identity Manager Installation

■ Setting Up Integration with Oracle Access Management

■ Using the Diagnostic Dashboard

■ Getting Started with Oracle Identity Manager After Installation

5.1 Important Notes Before You Start Configuring Oracle Identity Manager

Before you start configuring Oracle Identity Manager, keep the following points in mind:

■ IAM_Home is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.

■ By performing the domain configuration procedures described in this chapter, you can create Managed Servers on a local machine (the machine on which the

Note: To invoke online help at any stage of the Oracle Identity Manager configuration process, click the Help button on the Oracle Identity Manager Configuration Wizard screens.

Installation and Configuration Roadmap for Oracle Identity Manager


Administration Server is running). However, you can create and start Managed Servers for Oracle Identity and Access Management components on a remote machine. For more information, see the "Creating and Starting a Managed Server on a Remote Machine" topic in the guide Oracle Fusion Middleware Creating Templates and Domains Using the Pack and Unpack Commands.

■ You must use the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server, Oracle Identity Manager Design Console (on Windows only), and Oracle Identity Manager Remote Manager.

If you are configuring Oracle Identity Manager Server, you must run the Oracle Identity Manager configuration wizard on the machine where the Administration Server is running. For configuring the Server, you can run the wizard only once during the initial setup of the Server. After the successful setup of Oracle Identity Manager Server, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.

If you are configuring only Design Console or Remote Manager, you can run the Oracle Identity Manager Configuration Wizard on the machine where Design Console or Remote Manager is being configured. You can configure Design Console or Remote Manager after configuring the Oracle Identity Manager Server. Note that you can run the Oracle Identity Manager Configuration Wizard to configure Design Console or Remote Manager as and when you need to configure them on new machines.

Note that Oracle Identity Manager requires Oracle SOA Suite 11g (11.1.1.6.0), which should be exclusive to Oracle Identity and Access Management. You must install Oracle SOA Suite before configuring Oracle Identity Manager. If you are setting up integration between Oracle Identity Manager and Oracle Access Management, ensure that Oracle Identity Manager, Oracle Access Management, and Oracle SOA Suite are configured in the same domain.

5.2 Installation and Configuration Roadmap for Oracle Identity ManagerTable 5–1 lists the tasks for installing and configuring Oracle Identity Manager.

Table 5–1 Installation and Configuration Flow for Oracle Identity Manager









Installation and Configuration Roadmap for Oracle Identity Manager






7 Install Oracle SOA Suite 11g (11.1.1.6.0).

Install the 11.1.1.6.0 version of Oracle SOA Suite.

For more information, see Section 3.2.5, "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)".




Oracle Identity Manager is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.



For more information, see Section 5.3, "Creating a new WebLogic Domain for Oracle Identity Manager and SOA"


12 Start the servers. You must start the Administration Server.

For more information, see Section 5.4, "Starting the Servers".

13 Review the Oracle Identity Manager Server, Design Console, and Remote Manager configuration scenarios.

For more information, see Section 5.5, "Overview of Oracle Identity Manager Configuration".

14 Start the Oracle Identity Manager 11g Configuration Wizard.

For more information, see Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard".

15 Configure Oracle Identity Manager Server.

For more information, see Section 5.7, "Configuring Oracle Identity Manager Server".

16 Optional: Install and Configure only Oracle Identity Manager Design Console on Windows.

For more information, see Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console".

17 Optional: Configure Oracle Identity Manager Remote Manager.

For more information, see Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".


■ Section 5.10, "Verifying the Oracle Identity Manager Installation"

■ Section 5.11, "Setting Up Integration with Oracle Access Management"

■ Section 5.12, "List of Supported Languages"

■ Section 5.13, "Using the Diagnostic Dashboard"

■ Section 5.14, "Getting Started with Oracle Identity Manager After Installation"

Table 5–1 (Cont.) Installation and Configuration Flow for Oracle Identity Manager


Creating a new WebLogic Domain for Oracle Identity Manager and SOA


5.3 Creating a new WebLogic Domain for Oracle Identity Manager and SOA

This topic describes how to create a new WebLogic domain for Oracle Identity Manager and SOA. It includes the following sections:



■ Dependencies

■ Procedure

5.3.1 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to install Oracle Identity Manager in an environment where you may use Oracle Identity Manager as a provisioning or request solution. This option is also appropriate for Oracle Identity Manager environments that do not use Single Sign-On (SSO) or Oracle Access Manager.

5.3.2 Components DeployedPerforming the configuration in this section installs the following components:

■ Administration Server

■ Managed Servers for Oracle Identity Manager and SOA.

■ Oracle Identity Manager System Administration Console, and Oracle Identity Manager Self Service Console on the Oracle Identity Manager Managed Server



■ Installation of the Oracle Identity and Access Management 11g Release 2 (11.1.2) software.

■ Installation of Oracle SOA Suite 11g (11.1.1.6.0).

■ Database schemas for Oracle Identity Manager and Oracle SOA 11g Suite.

5.3.4 ProcedureComplete the following steps to create a new WebLogic domain for Oracle Identity Manager and SOA and to configure Oracle Identity Manager Server, Design Console, and Remote Manager:

1. Review the section Important Notes Before You Start Configuring Oracle Identity Manager.

2. Run the <IAM_Home>/common/bin/config.sh script (on UNIX). (<IAM_Home>\common\bin\config.cmd on Windows). The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.




4. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select Oracle Identity Manager - 11.1.2.0.0 [IAM_Home]. When you select the Oracle Identity Manager - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:

■ Oracle SOA Suite - 11.1.1.1.0 [Oracle_SOA1]

■ Oracle Enterprise Manager 11.1.1.0 [oracle_common]



■ Oracle JRF WebServices Asynchronous services - 11.1.1.0 [oracle_common]

■ Oracle WSM Policy Manager 11.1.1.0 [oracle_common]

Click Next. The Specify Domain Name and Location screen appears.


Note:

■ If you want to use Authorization Policy Manager for the new WebLogic domain for Oracle Identity Manager, then you must select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option.

■ If you have an existing WebLogic domain for Oracle Identity Manager, and you want to use Authorization Policy Manager, then you must peform the following steps:

1. On the Welcome screen of the Oracle Fusion Middleware Configuration Wizard, select Extend an existing WebLogic domain, and click Next.

2. On the Select a WebLogic Domain Directory screen, select the directory that contains the domain in which you configured Oracle Identity Manager. Click Next.

3. On the Select Extension Source screen, ensure that the Extend my domain to automatically to support the following added products: is selected, and select Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] or Oracle Entitlements Server for Managed Server- 11.1.1.0 [IAM_Home] option. Click Next.

4. The Configure JDBC Component Schema screen appears. Continue with step 8. Note that for step 9, Administration Server and RDBMS Security Store options are not available when you are extending a domain.




7. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen appears. This screen displays a list of the following component schemas:

■ SOA Infrastructure

■ User Messaging Service

■ OIM MDS Schema

■ OWSM MDS Schema

■ SOA MDS Schema

■ OIM Infrastructure

■ OPSS Schema

8. On the Configure JDBC Component Schema screen, select a component schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

9. On the Select Optional Configuration screen, you can configure the Administration Server, JMS Distributed Destination, Managed Servers, Clusters, and Machines, Deployments and Services, JMS File Store, and RDBMS Security Store. Click Next.


■ Name

■ Listen address

■ Listen port

■ SSL listen port


Click Next.

11. Optional: Configure JMS Distributed Destination, as required. Click Next.

12. Optional: Configure Managed Servers, as required. Click Next.

13. Optional: Configure Clusters, as required. Click Next.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

14. Optional: Assign Managed Servers to Clusters, as required. Click Next.

15. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine. Click Next.

Tip: Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.



16. Optional: Assign servers to machines. Click Next.

17. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server. Click Next.


After the domain configuration is complete, click Done to close the configuration wizard.

A new WebLogic domain to support Oracle Identity Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

19. Start the Administration Server, as described in Appendix C, "Starting or Stopping the Oracle Stack".

20. Start the Oracle Identity Manager Configuration Wizard, as described in Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard".

21. Configure the Oracle Identity Manager Server, Design Console, or Remote Manager, as described in Section 5.7, "Configuring Oracle Identity Manager Server", Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console", and Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

5.4 Starting the ServersAfter installing and configuring Oracle Identity Manager in a WebLogic domain, you must start the Oracle WebLogic Administration Server, as described in Appendix C.1, "Starting the Stack".

Note: After configuring Oracle Identity Manager in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

Note: If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Section 2.6, "Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only)".

Overview of Oracle Identity Manager Configuration


5.5 Overview of Oracle Identity Manager ConfigurationThis section discusses the following topics:

■ Before Configuring Oracle Identity Manager Server, Design Console, or Remote Manager

■ Oracle Identity Manager Configuration Scenarios

5.5.1 Before Configuring Oracle Identity Manager Server, Design Console, or Remote Manager

Before configuring Oracle Identity Manager using the Oracle Identity Manager Wizard, ensure that you have installed and configured Oracle Identity Manager and SOA in a WebLogic Server domain.

The Oracle Identity Manager 11g Configuration Wizard prompts you to enter information about certain configurations, such as Database, Schemas, WebLogic Administrator User Name and Password, and LDAP Server. Therefore, keep this information ready with you before starting the Identity Management 11g Configuration Wizard.


■ Prerequisites for Configuring Oracle Identity Manager Server

■ Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine

■ Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different Machine

5.5.1.1 Prerequisites for Configuring Oracle Identity Manager ServerBefore you can configure Oracle Identity Manager Server using the Oracle Identity Manager Configuration Wizard, you must complete the following prerequisites:

1. Installing a supported version of Oracle database. For more information, see Section 3.2.2.

2. Creating and loading the required schemas in the database. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

Notes:

■ If weblogic is not your WebLogic administrator user name, you must complete a set of manual steps after starting the servers. For more information, see Section 2.6, "Optional: Updating the WebLogic Administrator Server User Name in Oracle Enterprise Manager Fusion Middleware Control (OIM Only)".

■ Oracle Identity Manager requires Oracle SOA Suite. In order to avoid concurrent update, Oracle Identity Manager and SOA servers should not be started simultaneously. Start the SOA server first, wait for the SOA server to come up and then start the Oracle Identity Manager server.



3. Installing Oracle WebLogic Server and creating a Middleware Home directory. For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements".

4. Installing Oracle SOA Suite 11g Release 1(11.1.1.6.0) under the same Middleware Home directory. For more information, see Section 3.2.5, "Installing Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)".

5. Installing the Oracle Identity and Access Management Suite (the suite that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Identity Navigator, and Oracle Access Management Mobile and Social) under the Middleware Home directory. For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

6. Creating a new WebLogic domain or extending an existing Identity Management 11.1.1.6.0 domain for Oracle Identity Manager and Oracle SOA. For more information, see Section 5.3, "Creating a new WebLogic Domain for Oracle Identity Manager and SOA".

7. Starting the Oracle WebLogic Administration Server for the domain in which the Oracle Identity Manager application is deployed. For more information, see Appendix C.1, "Starting the Stack".

5.5.1.2 Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine On the machine where you are installing and configuring Design Console, you must install the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. For information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

Before you can configure Oracle Identity Manager Design Console by running the Oracle Identity Manager Configuration Wizard, you should have configured the Oracle Identity Manager Server, as described in Section 5.7, "Configuring Oracle Identity Manager Server" on a local or remote machine. In addition, the Oracle Identity Manager Server should be up and running.

5.5.1.3 Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different MachineOn the machine where you are installing and configuring Remote Manager, you must install the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. For

Note: Oracle Identity Manager Design Console is supported on Windows operating systems only. If you are installing and configuring only Design Console on a machine, you do not need to install Oracle WebLogic Server and create a Middleware Home directory before installing the Oracle Identity and Access Management software.



information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

Before you can configure Oracle Identity Manager Remote Manager by running the Oracle Identity Manager Configuration Wizard, you should have configured the Oracle Identity Manager Server, as described in Section 5.7, "Configuring Oracle Identity Manager Server". In addition, the Oracle Identity Manager Server should be up and running.

5.5.2 Oracle Identity Manager Configuration ScenariosThe Oracle Identity Manager 11g Configuration Wizard enables you to configure Oracle Identity Manager Server, Design Console (Windows only), and Remote Manager.

If you are configuring Oracle Identity Manager Server, you must run this configuration wizard on the machine where the Administration Server is running.

You must complete this additional configuration for Oracle Identity Manager components after configuring Oracle Identity Manager in a new or existing WebLogic administration domain.


■ Scope of Configuration Using the Oracle Identity Manager 11g Configuration Wizard

■ Scenario 1: Oracle Identity Manager Server and Design Console on Different Machines

■ Scenario 2: Oracle Identity Manager Server and Remote Manager on Different Machines

■ Scenario 3: Oracle Identity Manager Server, Design Console, and Remote Manager on a Single Windows Machine

5.5.2.1 Scope of Configuration Using the Oracle Identity Manager 11g Configuration WizardYou can use the Oracle Identity Manager 11g Configuration Wizard to configure the non-J2EE components and elements of Oracle Identity Manager. Most of the J2EE configuration is done automatically in the domain template for Oracle Identity Manager.

Note: If you are installing and configuring only Remote Manager on a machine, you do not need to install Oracle WebLogic Server and create a Middleware Home directory before installing the Oracle Identity and Access Management software.

Note: You can run the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server only once during the initial setup. After the initial setup, you cannot run the Oracle Identity Manager Configuration Wizard again to modify the configuration of Oracle Identity Manager Server, Design Console, or Remote Manager. For such modifications, you must use Oracle Enterprise Manager Fusion Middleware Control.



5.5.2.2 Scenario 1: Oracle Identity Manager Server and Design Console on Different MachinesIn this scenario, you configure Oracle Identity Manager Server on one machine, and install and configure only Oracle Identity Manager Design Console on a different Windows machine (a development or design system).

Perform the following tasks:

1. Install and configure Oracle Identity Manager Server on a machine after completing all of the prerequisites, as described in Section 5.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.

2. On the Windows machine on which the Design Console is to be installed, install a JDK in a path without a space such as c:/jdk1.6.0_29.

3. Install Oracle WebLogic Server and create a Middleware Home directory such as c:/oracle/Middleware.

4. Run setup.exe from the installation media disk1 and follow the prompts selecting the Middleware_Home created above.

5. The installer will install the Oracle Identity and Access Management suite needed to install the Design Console.

6. On the Windows machine where you installed the Oracle Identity and Access Management 11g software, run the Oracle Identity Manager Configuration Wizard to configure only Design Console. Note that you must provide the Oracle Identity Manager Server information, such as host and URL, when configuring Design Console. For more information, see Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console".

5.5.2.3 Scenario 2: Oracle Identity Manager Server and Remote Manager on Different MachinesIn this scenario, you configure Oracle Identity Manager Server on one machine, and install and configure only Oracle Identity Manager Remote Manager on a different machine.

The following are the high-level tasks in this scenario:

1. Install and configure Oracle Identity Manager Server on a machine after completing all of the prerequisites, as described in Section 5.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.

2. On a different machine, install the Oracle Identity and Access Management 11g software containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. For information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

Note: When you specify the location of the Middleware_Home, you will see a message "Specified middleware home is not valid. If you continue with this installation only Remote Manager and Design Console can be configured." This is a valid message if you intend to install only the Design Console.

Starting the Oracle Identity Manager 11g Configuration Wizard


3. On the machine where you installed the Oracle Identity and Access Management 11g software, run the Oracle Identity Manager Configuration Wizard to configure only Remote Manager. Note that you must provide the Oracle Identity Manager Server information, such as host and URL, when configuring Remote Manager. For more information, see Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

5.5.2.4 Scenario 3: Oracle Identity Manager Server, Design Console, and Remote Manager on a Single Windows MachineIn this scenario, suitable for test environments, you install and configure Oracle Identity Manager Server, Design Console, and Remote Manager on a single Windows machine.

The following are the high-level tasks in this scenario:

1. Install and configure Oracle Identity Manager Server on a machine after completing all the prerequisites, as described in Section 5.7, "Configuring Oracle Identity Manager Server". Ensure that the Oracle Identity Manager Server is up and running.

2. On the same machine, configure Design Console, as described in Section 5.8, "Optional: Configuring Oracle Identity Manager Design Console".

3. On the same machine, configure Remote Manager, as described in Section 5.9, "Optional: Configuring Oracle Identity Manager Remote Manager".

5.6 Starting the Oracle Identity Manager 11g Configuration WizardTo start the Oracle Identity Manager 11g Configuration Wizard, execute the <IAM_Home>/bin/config.sh script (on UNIX) on the machine where the Administration Server is running. (<IAM_Home>\bin\config.bat on Windows). The Oracle Identity Manager 11g Configuration Wizard starts, and the Welcome Screen appears.

5.7 Configuring Oracle Identity Manager ServerThis topic describes how to install and configure only Oracle Identity Manager Server. It includes the following sections:



■ Dependencies

■ Procedure

■ Completing the Prerequisites for Enabling LDAP Synchronization

■ Running the LDAP Post-Configuration Utility

■ Verifying the LDAP Synchronization

■ Post-Configuration Steps

Note: If you have extended an existing WebLogic domain to support Oracle Identity Manager, you must restart the Administration Server before starting the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server, Design Console, or Remote Manager.

Configuring Oracle Identity Manager Server


■ Setting oamEnabled Parameter for Identity Virtualization Library

■ Enabling LDAP Sync after Installing and Configuring Oracle Identity Manager Server at a Later Point

5.7.1 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to install Oracle Identity Manager Server on a separate host.

5.7.2 Components DeployedPerforming the configuration in this section deploys only Oracle Identity Manager Server.

5.7.3 DependenciesThe installation and configuration in this section depends on Oracle WebLogic Server, on Oracle SOA Suite, and on the installation of Oracle Identity and Access Management 11g software. For more information, see Chapter 2, "Preparing to Install" and Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

5.7.4 ProcedurePerform the following steps to configure only Oracle Identity Manager Server:

1. Ensure that all the prerequisites, described in Section 5.5.1.1, "Prerequisites for Configuring Oracle Identity Manager Server", are satisfied. In addition, see Section 5.1, "Important Notes Before You Start Configuring Oracle Identity Manager".

2. On the machine where the Administration Server is running, start the Oracle Identity Manager Configuration Wizard, as described in Section 5.6, "Starting the Oracle Identity Manager 11g Configuration Wizard". The Welcome screen appears.

3. On the Welcome screen, click Next. The Components to Configure screen appears.

On the Components to Configure screen, ensure that only the OIM Server option is selected. It is selected, by default. Click Next. The Database screen appears.

4. On the Database screen, enter the full path, listen port, and service name for the database in the Connect String field. For a single host instance, the format of connect string is hostname:port:servicename. For example, if the hostname is aaa.bbb.com, port is 1234, and the service name is xxx.bbb.com, then you must enter the connect string for a single host instance as follows:

aaa.bbb.com:1234:xxx.bbb.com

If you are using a Real Application Cluster database, the format of the database connect string is as follows:

hostname1:port1:instancename1^hostname2:port2:instancename2@servicename



5. In the OIM Schema User Name field, enter the name of the schema that you created for Oracle Identity Manager using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

6. In the OIM Schema Password field, enter the password for the Oracle Identity Manager schema that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU).

7. If you want to use a different database for the Metadata Services (MDS) schema, select the Select different database for MDS Schema check box.

8. If you choose to use a different database for MDS schema, in the MDS Connect String field, enter the full path, listen port, and service name for the database associated with the MDS schema. For the format of the connect string, see Step 4.

In the MDS Schema User Name field, enter the name of the schema that you created for AS Common Services - Metadata Services using the Oracle Fusion Middleware Repository Creation Utility (RCU). For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

In the MDS Schema Password field, enter the password for the AS Common Services - Metadata Services schema that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU). Click Next. The WebLogic Admin Server screen appears.

9. On the WebLogic Admin Server screen, in the WebLogic Admin Server URL field, enter the URL of the WebLogic Administration Server of the domain in the following format:

t3://hostname:port

In the UserName field, enter the WebLogic administrator user name of the domain in which the Oracle Identity Manager application and the Oracle SOA Suite application are deployed. If you are setting up integration between Oracle Identity Manager and Oracle Access Manager, the Oracle Access Manager application is also configured in the same domain.

In the Password field, enter the WebLogic administrator password of the domain in which the Oracle Identity Manager application and the Oracle SOA Suite application are deployed. Click Next.

The OIM Server screen appears. The OIM Server screen enables you to set a password for the system administrator (xelsysadm).

10. On the OIM Server screen, in the OIM Administrator Password field, enter a new password for the administrator. A valid password contains at least 6 characters; begins with an alphabetic character; includes at least one number, one uppercase letter, and one lowercase letter. The password cannot contain the first name, last name, or the login name for Oracle Identity Manager.

Note: You can use the same database or different databases for creating the Oracle Identity Manager schema and the Metadata Services schema.

Ensure that no Firewalls/Gateways are preventing the connection to the database.



11. In the Confirm User Password field, enter the new password again.

12. In the OIM HTTP URL field, enter the http URL that front-ends the Oracle Identity Manager application.

The URL is of the format: http(s)://<oim_host>:<oim_port>. For example, https://localhost:7002.

13. In the KeyStore Password field, enter a new password for the keystore. A valid password can contain 6 to 30 characters, begin with an alphabetic character, and use only alphanumeric characters and special characters like Dollar ($), Underscore (_), and Pound (#). The password must contain at least one number.

14. In the Confirm Keystore Password field, enter the new password again.

15. Optional: To enable LDAP Sync, you must select the Enable LDAP Sync option on the OIM Server screen.

16. After making your selections, click Next on the OIM Server screen. If you chose to enable LDAP Sync, the LDAP Server screen appears.

The LDAP Server screen enables you to specify the following information:

■ Directory Server Type - Select the desired Directory Server from the dropdown list. You have the following options:

– OID

– ACTIVE_DIRECTORY

– IPLANET

– OVD

– OUD

Note: If you want to enable LDAP Sync, before enabling LDAP Sync you must complete the steps, as described in Completing the Prerequisites for Enabling LDAP Synchronization.

Once LDAP Sync is enabled on the OIM Server screen and prerequisites are completed, you must continue to configure the Oracle Identity Manager Server. After you have configured the Oracle Identity Manager Server and exited the Oracle Identity Management Configuration Wizard, you must run the LDAP post-configuration utility as described in Running the LDAP Post-Configuration Utility.

Notes:

■ IPLANET is also referred to as Oracle Directory Server Enterprise Edition (ODSEE) in this guide.

■ If you choose to use OID, ACTIVE_DIRECTORY, IPLANET, or OUD as the Directory Server and if you want to integrate Oracle Identity Manager and Oracle Access Management, you must set the oamEnabled parameter to true. To set the oamEnabled parameter to true in case of Identity Virtualization Library, see Setting oamEnabled Parameter for Identity Virtualization Library.



■ Directory Server ID - enter the Directory Server ID. It can be any unique value.

For example: oid1 for OID, oud1 for OUD, iplanet1 for IPLANET, and ad1 for ACTIVE_DIRECTORY

■ Server URL - enter the LDAP URL in the format ldap://oid_host:oid_port.

■ Server User - enter the user name for Directory Server administrator.

For example: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

■ Server Password - enter the Oracle Identity Manager admin password.

■ Server SearchDN - enter the Distinguished Names (DN). For example, dc=exampledomain, dc=com. This is the top-level container for users and roles in LDAP, and Oracle Identity Manager uses this container for reconciliation.

Click Next. The LDAP Server Continued screen appears.

17. On the LDAP Server Continued screen, enter the following LDAP information:

■ LDAP RoleContainer - enter a name for the container that will be used as a default container of roles in the LDAP directory. You can configure isolation rules in Oracle Identity Manager to create roles in different containers in LDAP. For example, cn=groups,cn=oracleAccounts,dc=mycountry,dc=mycompany,dc=com.

■ LDAP RoleContainer Description - enter a description for the default role container.

■ LDAP Usercontainer - enter a name for the container that will be used as a default container of users in the LDAP directory. You can configure isolation rules in Oracle Identity Manager to create users in different containers in LDAP. For example, cn=groups,cn=oracleAccounts,dc=mycountry,dc=mycompany,dc=com.

■ LDAP Usercontainer Description - enter a description for the default user container.

■ User Reservation Container - enter a name for the container that will be used for reserving user names in the LDAP directory while their creation is being approved in Oracle Identity Manager. When the user names are approved, they are moved from the reservation container to the user container in the LDAP directory. For example, cn=reserve, dc=mycountry, dc=com.

After enabling LDAP synchronization and after running the LDAP post-configuration utility, you can verify it by using the Oracle Identity Manager Administration Console. For more information, see Verifying the LDAP Synchronization. Click Next. The Configuration Summary screen appears.

18. If you did not choose the Enable LDAP Sync option on the OIM Server screen, the Configuration Summary screen appears after you enter information in the OIM Server screen.

The Configuration Summary screen lists the applications you selected for configuration and summarizes your configuration options, such as database connect string, OIM schema user name, MDS schema user name, WebLogic Admin Server URL, WebLogic Administrator user name, and OIM HTTP URL.



Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing this configuration of the Oracle Identity Manager Server, click Configure.

After you click Configure, the Configuration Progress screen appears. Click Next.

A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.

19. Click Finish.

5.7.5 Completing the Prerequisites for Enabling LDAP SynchronizationYou must complete the following prerequisites:

■ Preconfiguring the Identity Store

■ Creating Adapters in Oracle Virtual Directory

5.7.5.1 Preconfiguring the Identity StoreBefore you can use your LDAP directory as an Identity store, you must preconfigure it.

Note: Before configuring an application, you can save your configuration settings and preferences in a response file. Response files are text files that you can create or edit in a text editor. You can use response files to perform a silent installation or use as templates or customized settings for your environment. For more information, see Performing a Silent Installation.

Note: If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.



You must complete the following steps to preconfigure the Identity Store if you have not configured already:

1. Create User, Group and Reserve Containers.

2. Create the proxy user for OIM, namely oimadminuser in the Directory Server outside the search base used for OIM reconciliation. This OIM proxy user should not be reconciled into OIM Database.

3. Create the oimadmingroup and assign the oimadminuser to the group.

4. Add the ACIs to the group and user container for the OIM proxy user to have access to all entries in those containers.

5. Extend OIM Schema for non-OID Directory Servers.

■ For Active Directory

– The OIM Schema for Active Directory is in the following location:

$MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates

– Run the following command to extend Active Directory schema:

On Windows:

extendadschema.bat -h AD_host -p AD_port -D <[email protected]> -q -AD <dc=mydomain,dc=com> -OAM true

On UNIX:

sh extendadschema.sh -h AD_host -p AD_port -D [email protected] -q -AD dc=mydomain,dc=com -OAM true

Note: Follow the steps in this section if you are using any one of the Directory Servers mentioned below for LDAP Synchronization:

■ OID

■ Active Directory

■ iPlanet/ODSEE

■ OUD

■ OVD

The preconfiguration differs, depending on the directory store you wish to use to hold your identity information. For a sample procedure of preconfiguring the Identity Store, refer to the following:

■ Preconfiguring Oracle Directory Server Enterprise Edition (ODSEE)

■ Preconfiguring Oracle Unified Directory (OUD)

■ Preconfiguring Oracle Internet Directory (OID)

Note: The extendadschema script is certified only on Active Directory 2003, 2008 and 2008R2.



■ For ODSEE/iPlanet

– The OIM Schema for iPlanet (also known as ODSEE) is in the following location:

$MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates/sunOneSchema.ldif

– Run the following command to extend ODSEE schema:

ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f sunOne-Schema.ldif

6. If you want to enable OAM-OIM integration, extend the following OAM Schema:

■ For OID

– To extend OAM Schema for OID, locate the following files:

$IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oblix_pwd_schema_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oblix_schema_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oim_pwd_schema_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/oid/schema/OID_oblix_schema_index_add.ldif

– Use ldapmodify from the command line to load the four LDIF files:

cd $IAM_HOME/oam/server/oim-intg/ldif/oid/schema/

ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oblix_pwd_schema_add.ldif

ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oblix_schema_add.ldif

ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oim_pwd_schema_add.ldif

ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -f OID_oblix_schema_index_add.ldif

■ For Active Directory

– To extend OAM Schema for Active Directory, locate the following files:

$IAM_HOME/oam/server/oim-intg/ldif/ad/schema/ADUser-Schema.ldif

$IAM_HOME/oam/server/oim-intg/ldif/ad/schema/AD_oam_pwd_schema_add.ldif

In both the above files, replace the domain-dn with the appropriate domain-dn value.

– Use ldapadd from the command line to load the two LDIF files, as follows:



cd $IAM_HOME/oam/server/oim-intg/ldif/ad/schema/

ldapadd -h <activedirectoryhostname> -p <activedirecto-ryportnumber> -D <AD_administrator> -q -c -f ADUser-Schema.ldif

ldapadd -h <activedirectoryhostname> -p <activedirecto-ryportnumber> -D <AD_administrator> -q -c -f AD_oam_pwd_schema.ldif

where AD_administrator is a user which has schema extension privileges to the directory.

For example:

ldapadd -h activedirectoryhost.mycompany.com -p 389 -D adminuser –q -c -f ADUserSchema.ldif

■ For ODSEE/iPlanet

– To extend OAM Schema for ODSEE, locate the following files:

$IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet7_user_index_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet7_user_index_generic.ldif

$IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet_oam_pwd_schema_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet_user_schema_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/iPlanet_user_index_add.ldif

– Use ldapmodify from the command line to load the four LDIF files:

cd $IAM_HOME/oam/server/oim-intg/ldif/iplanet/schema/

ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet7_user_index_add.ldif

or

ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet7_user_index_generic.ldif

Note: If you are not sure about the which index-root you should use, instead of iPlanet7_user_index_add.ldif, please use iPlanet7_user_index_generic.ldif file which also has step by step instructions on finding index-root.



ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet_oam_pwd_schema_add.ldif

ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet_user_schema_add.ldif

ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f iPlanet_user_index_add.ldif

■ For OUD

– To extend OAM Schema for OUD, locate the following files:

$IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_schema_add.ldif

$IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_user_index_generic.ldif

$IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/ojd_oam_pwd_schema_add.ldif

– Use ldapmodify from the command line to load the following three LDIF files:

cd $IAM_HOME/oam/server/oim-intg/ldif/ojd/schema/

ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -f ojd_user_schema_add.ldif

ldapmodify -h <OUD Server> -p <OUD Admin SSL port> -D <OUD Admin ID> -w <OUD Admin password> -Z -X -a -f ojd_user_index_generic.ldif

ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -f ojd_oam_pwd_schema_add.ldif

After all the indexes in ojd_user_index_generic.ldif are imported, the indexes must be rebuild, either online or offline.

To rebuild the index Offline:

1) Stop the OUD server by executing the following command:

$MW_HOME/asinst_1/OUD/bin/stop-ds

2) Rebuild the index one by one for all index attributes mentioned in the file ojd_user_index_generic.ldif by executing the following com-mand:

$MW_HOME/asinst_1/OUD/bin/rebuild-index -h <OUD Server> -p <OUD Admin SSL port> -D <OUD Admin ID> -j <password-file> -X --baseDN <baseDN> --index <attribute>

For example:

$MW_HOME/asinst_1/OUD/bin/rebuild-index -h localhost -p 5444 -D "cn=Directory Manager" -j pwd.txt -X --baseDN dc=mycompany,dc=com --index obgroupadministrator

3) Restart the OUD server by executing the following command:



$MW_HOME/asinst_1/OUD/bin/start-ds

To rebuild the index Online:

If you rebuild the index online, the OUD server need not be stopped and restarted.

Rebuild the index one by one for all index attributes mentioned in the file ojd_user_index_generic.ldif by executing the following com-mand:

$MW_HOME/asinst_1/OUD/bin/rebuild-index -h <OUD Server> -p <OUD Admin SSL port> -D <OUD Admin ID> -j <password-file> -X --baseDN <baseDN> --index <attribute>

For example:

$MW_HOME/asinst_1/OUD/bin/rebuild-index -h localhost -p 5444 -D "cn=Directory Manager" -j pwd.txt -X --baseDN dc=mycompany,dc=com --index obgroupadministrator --index obid --index oblocationdn

7. If you are using Oracle Directory Server Enterprise Edition (ODSEE), you must enable moddn and Changelog properties in the ODSEE Directory Server.

Skip this step if you are using Oracle Internet Directory (OID), Active Directory or Oracle Unified Directory (OUD).

5.7.5.2 Creating Adapters in Oracle Virtual DirectoryOracle Virtual Directory communicates with other directories through adapters.

Before you can start using Oracle Virtual Directory as an identity store, you must create adapters to each of the directories you want to use.The procedure is slightly different, depending on the directory you are connecting to.

Note: To find out the OUD Admin SSL port, check the configuration in <OUD Home Directory>/config/config.ldif, under the entry cn=Administration Connector,cn=config. It is the value associated to the attribute ds-cfg-listen-port.

For example:

$MW_HOME/asinst_1/OUD/config/config.ldif has 5444 as OUD Admin SSL port.

dn: cn=Administration Connector,cn=config

objectClass: ds-cfg-administration-connector

objectClass: top

ds-cfg-listen-address: 0.0.0.0

ds-cfg-listen-port: 5444



The following sections show how to create adapters for the respective directories:

■ Creating Adapters for Oracle Internet Directory

■ Creating Adapters for Microsoft Active Directory Server

■ Creating Adapters for Oracle Directory Server Enterprise Edition (ODSEE)

■ Creating Adapters for Oracle Unified Directory (OUD)

■ Important Notes on Changelog Plugin Configuration

5.7.5.2.1 Creating Adapters for Oracle Internet Directory

User AdapterCreate the user adapter for Oracle Virtual Directory. Follow the steps below to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. Open a browser and bring up the ODSM console at http://hostname:port/odsm

2. Connect to Oracle Virtual Directory by using the appropriate connection entry.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

Note: This procedure is applicable only if you are using OVD as the Directory Server. If you choose to use OID, Active Directory, Oracle Directory Server Enterprise Edition (ODSEE) or Oracle Unified Directory as the Directory Server, the required adapters are created and configured while installing and configuring the Oracle Identity Manager server. For more information on managing the adapters, see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

The User Management and Changelog adapters for Identity Virtualization Library configured by the Oracle Identity Manager installer are stored in adapters.os_xml file. The adapters.os_xml will be in the following location:

$DOMAIN_HOME/config/fmwconfig/ovd/<context>/

For example:

$DOMAIN_HOME/config/fmwconfig/ovd/oim1/adapters.os_xml

Note: The default port number is 7005.

Table 5–2 Parameters for User Adapter Creation

Screen Field Value/Step

Type Adapter Type LDAP



Verify that the summary is correct and then click Finish.

6. Edit the User Adapter as follows:

a. Select the User Adapter.

b. Click the Plug-ins Tab.

c. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

d. In the Parameters table, update the parameter values as follows:

e. Click OK.

f. Click Apply.

Change Log AdapterCreate the change log adapter for Oracle Virtual Directory. Follow the steps below to create the Change Log Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.


Adapter Name User Adapter

Adapter Template User_OID

Connection Use DNS for Auto Discovery

No

Host idstore.mycompany.com

Port 389

Server Proxy Bind DN cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

Proxy Password Password for oimadmin user.

Connection Test Validate that the test succeeds.

Namespace Remote Base dc=mycompany,dc=com

Mapped Namespace dc=mycompany,dc=com

Table 5–3 User Adapter Parameter Values

Parameter Value

directoryType oid

pwdMaxFailure 10

oamEnabled true or false

Note that this parameter should be set to true only if you are setting up integration between Oracle Identity Manager and Oracle Access Manager at a later time.

mapObjectclass container=orclContainer

Table 5–2 (Cont.) Parameters for User Adapter Creation





3. On the Home page, click on the Adapter tab.



Verify that the summary is correct, then click Finish.

6. To edit the change adapter follow the steps below:

a. Select the OIM Change Log Adapter.

b. Click the Plug-ins tab.

c. In the Deployed Plus-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

d. In the Parameters table, update the parameter values.

Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.


Table 5–4 Parameters for Change Log Adapter Creation



Adapter Name Change Log Adapter

Adapter Template Changelog_OID


No

Host policystore.mycompany.com

Port 389


Proxy Password Password for oimadmin user

Connection Test Validate that the test succeeds

Namespace Remote Base Remote Base should be empty

Mapped Namespace cn=changelog

Table 5–5 Changelog Adapter Parameter Values

Parameter Value

directoryType oid

mapAttribute targetGUID=orclguid

requiredAttribute orclguid



e. Click OK.

f. Click Apply.

Restarting Oracle Virtual DirectoryRestart Oracle Virtual Directory, as described in Starting or Stopping the Oracle Stack.

5.7.5.2.2 Creating Adapters for Microsoft Active Directory Server

User AdapterCreate the user adapter for Oracle Virtual Directory. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. Start the Administration Server and the ODSM Managed Server as described in Starting or Stopping the Oracle Stack.



modifierDNFilter !(modifiersname=cn=oimAdminUser,cn=systemids,<root suffix>)

Note: This is an example. This value can be of any Proxy DN that the customer defines.

For example: rootSuffix can be dc=mycompany,dc=com

sizeLimit 1000

targetDNFilter Optional parameter.

For more information, see Important Notes on Changelog Plugin Configuration.



mapUserState true


virtualDITAdapterName

Name of the OID User Management adapter.


Note: For more information about these plug-in parameters, refer to the Understanding the Oracle Virtual Directory Plug-ins section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).


Table 5–5 (Cont.) Changelog Adapter Parameter Values

Parameter Value

http://download.oracle.com/docs/cd/E15523_01/oid.1111/e10046/und_plug.htm#CIHFHJQL


http://download.oracle.com/docs/cd/E15523_01/oid.1111/e10046/toc.htm




4. On the Home page, click the Adapter tab.





a. Select the OIM User Adapter.




Table 5–6 Parameters for New User Adapter Creation




Adapter Template User_ActiveDirectory


No

Host Active Directory host/virtual name

Port Active Directory SSL port



User SSL/TLS Selected

SSL Authentication Mode

Server Only Authentication





Parameter Value

directoryType activedirectory

mapAttribute orclguid=objectGuid

mapAttribute uniquemember=member

addAttribute user,samaccountname=%uid%,%orclshortuid%

mapAttribute mail=userPrincipalName

mapAttribute ntgrouptype=grouptype

mapObjectclass groupofUniqueNames=group



e. Click OK.

f. Click Apply.

Important Notes on User Management Plugin ConfigurationoimLanguages attribute: For language support, you need to edit the User Management plugin to add a new configuration parameter oimLanguages.

For example, if the Managed Localization for the DisplayName while creating the User in Oracle Identity Manager is selected as French, then the value for oimLanguages in the User Management adapter plugin should be fr. If you have other languages to be supported, say Japanese, then the value for the parameter should be fr,ja.

This parameter is functional only when the directoryType parameter is set to activedirectory.

The User Management plugin has the following configuration parameters:

oimLanguages , <separated list of language codes to be used in attribute language subtypes>.

mapObjectclass inetOrgPerson=user

mapObjectclass orclidxperson=user

mapPassword true

exclusionMapping orclappiduser,uid=samaccountname

pwdMaxFailure 10



oimLanguages For language support, you need to edit the User Management plugin to add a new configuration parameter oimLanguages.

See Important Notes on User Management Plugin Configuration.

Table 5–8 Language Codes for the MLS Enabled Attributes

Objectclasses MLS Enabled Attributes Language Codes

orclIDXPerson cn, sn, givenName, middleName, displayName, o, ou, title, postalAddress, st, description, orclGenerationQualifier

sq, ar, as, az, bn, bg, be, ca, zh-CN, zh-TW, hr, cs, da, nl, en, et, fi, fr, de, el, gu, he, hi, hu, is, id, it, ja, kn, kk, ko, lv, lt, mk, ms, ml, mr, no, or, pl, pt, pt-BR, pa, ro, ru, sr, sk, sl, es, sv, ta, te, th, tr, uk, uz, vi

Table 5–7 (Cont.) User Adapter Parameter Values

Parameter Value



Change Log AdapterFollow the steps below to create the Change Log Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.






orclIDXGroup cn, displayName, description

sq, ar, as, az, bn, bg, be, ca, zh-CN, zh-TW, hr, cs, da, nl, en, et, fi, fr, de, el, gu, he, hi, hu, is, id, it, ja, kn, kk, ko, lv, lt, mk, ms, ml, mr, no, or, pl, pt, pt-BR, pa, ro, ru, sr, sk, sl, es, sv, ta, te, th, tr, uk, uz, vi

Note: If you are using Identity Virtualization Library, then see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.


Table 5–9 Parameters for New Change Log Adapter Creation



Adapter Name OIM Change Log Adapter

Adapter Template Changelog_ActiveDirectory


No

Host Active Directory host/virtual name

Port 389

Table 5–8 (Cont.) Language Codes for the MLS Enabled Attributes

Objectclasses MLS Enabled Attributes Language Codes









Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in Table 5–10. You must add the sizeLimit, and targetDNFilter properties to the adapter.

e. Click OK.



Connection Test Validate that the test succeeds




Parameter Value

directoryType activedirectory

mapAttribute targetGUID=objectGuid

requiredAttribute samaccountname

sizeLimit 1000





mapUserState true


virtualDITAdapterName The name of the User adapter


Note: The parameter modifierDNFilter should not be added to Active Directory Changelog plugin adapter.

Table 5–9 (Cont.) Parameters for New Change Log Adapter Creation




f. Click Apply.

5.7.5.2.3 Creating Adapters for Oracle Directory Server Enterprise Edition (ODSEE)






5. Start the New Adapter Wizard by clicking on Create Adapter at the top of the adapter window.








Adapter Template User_SunOne


No

Host Sun Java System Directory Server host/virtual name

Port Sun Java System Directory Server port



(cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com)











e. Click OK.

f. Click Apply.







Note: For information about creating Oracle Identity Manager user adapter by using Oracle Directory Services Manager, refer to the "Creating LDAP Adapters" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.


Parameter Value

directoryType sunone

mapAttribute orclGUID=nsUniqueID

mapObjectclass container=nsContainer

pwdMaxFailure 10















Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the mapObjectclass, modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.


Adapter Template Changelog_SunOne


No

Host Sun Java System Directory Server host virtual name

Port Sun Java System Directory Server port









Parameter Value

directoryType sunone

mapAttribute targetGUID=targetUniqueID

mapObjectclass changelog=changelogentry

Table 5–13 (Cont.) Parameters for New Change Log Adapter Creation




e. Click OK.

f. Click Apply.

5.7.5.2.4 Creating Adapters for Oracle Unified Directory (OUD)










sizeLimit 1000

virtualDITAdapterName Name of the iPlanet User Management adapter.






mapUserState true




Table 5–14 (Cont.) Changelog Adapter Parameter Values

Parameter Value


















Adapter Template User_OUD


No

Host Oracle Unified Directory Server host/virtual name

Port Oracle Unified Directory Server port









Parameter Value

directoryType oud

mapObjectclass container=orclContainer

pwdMaxFailure 10





e. Click OK.

f. Click Apply.














Adapter Template Changelog_OUD


No

Host Oracle Unified Directory Server host virtual name

Port Oracle Unified Directory Server port














Edit the Change Log Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the mapObjectclass, modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

e. Click OK.

f. Click Apply.

5.7.5.2.5 Important Notes on Changelog Plugin Configuration


Parameter Value

directoryType oud

mapAttribute targetGUID=targetuniqueid

mapObjectclass changelog=changelogentry

removeAttribute entryuuid




sizeLimit 1000

virtualDITAdapterName Name of the OUD User Management adapter.






mapUserState true









■ The virtualDITAdapterName parameter must be added after the changelog adapter is created.

virtualDITAdapterName identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to A1, which is the user adapter name.

If you set this parameter virtualDITAdapterName to A1, the plug-in fetches the mapAttribute and mapObjectclass configuration in the UserManagementPlugin of adapter A1, so you do not have to duplicate those configurations.

This configuration is a must for directoryType=ActiveDirectory for the GUID mapping to happen in the case of incremental reconciliation to avoid the missing required attribute exception. (LDAP GUID=null).

Add the attribute virtualDITAdapterName and set it to the value of the Active Directory User Management adapter name in the Active Directory changelog plugin. This is required to pick up the attribute mappings set in the Active Directory User Management adapter plugin as the Active Directory schema and OIM schema are different.

■ targetDNFilter attribute should be set if you want to perform reconciliation from a certain user container and group container instead of from the root suffix.

These values should be the ones entered for User Container and Role Container during the configuration of Oracle Identity Manager when LDAP Sync is enabled.

For example:

targetDNFilter : cn=Groups,l=amer,dc=mycountry,dc=mycompany, dc=com

targetDNFilter : cn=Groups,l=amer,dc=mycountry,dc=mycompany, dc=com

These settings would pull in/reconcile all users and groups from the above mentioned containers in the backend Directory Server.

■ The changelog adapter plugin should always have the attribute mapUserState set to true for the attribute orclaccountenabled to return in the search result.

5.7.6 Running the LDAP Post-Configuration UtilityYou must run the LDAP post-configuration utility after you have configured the Oracle Identity Manager Server and exited the Oracle Identity Manager Configuration Wizard. The LDAP configuration post-setup script enables all the LDAP Sync-related incremental Reconciliation Scheduler jobs, which are disabled by default.

Note: If you are using Identity Virtualization Library, then see "Managing Identity Virtualization Library (libOVD) Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

For more information about these plug-in parameters, refer to the "Understanding the Oracle Virtual Directory Plug-ins" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1).







Setting Up Environment VariablesBefore you run the LDAP post-configuration utility, you must ensure that the following environment variables are set:

■ APP_SERVER - is set to the application server on which Oracle Identity Manager is running. Set APP_SERVER to weblogic.

■ JAVA_HOME - is set to the directory where the JDK is installed on your machine.

■ MW_HOME - is set to the Middleware home path provided during the Oracle Identity Manager installation.

■ OIM_ORACLE_HOME - is set to the directory where Oracle Identity Manager is deployed.

For example:

On UNIX, it is the <MW_HOME>/IAM_Home directory.

On Windows, it is the <MW_HOME>\IAM_Home directory.

■ WL_HOME - is set to the wlserver_10.3 directory under your Middleware Home.

For example:

On UNIX, it is the <MW_HOME>/wlserver_10.3 directory.

On Windows, it is the <MW_HOME>\wlserver_10.3 directory.

■ DOMAIN_HOME - is set to the domain of the WebLogic Server.

For example:

On UNIX, it is the <MW_HOME>/user_projects/domains/base_domain directory.

On Windows, it is the <MW_HOME>\user_projects\domains\base_domain directory.

Running the LDAP Post-Configuration UtilityRun the LDAP post-configuration utility as follows:

1. Open the ldapconfig.props file in a text editor. This file is located in the server/ldap_config_util directory under the IAM_Home for Oracle Identity and Access Management.

2. In the ldapconfig.props file, set values for the following parameters:

■ OIMServerType - Specify the application server on which Oracle Identity Manager is deployed.

For example:

OIMServerType=WLS

■ OIMProviderURL - Specify the URL for the OIM provider.

If the OIMServerType is WLS, then

Note: This procedure is applicable to all the Directory Server options. The LDAP post-configuration utility must be run after configuring Oracle Identity Manager Server. This procedure is required only if you chose to enable and configure LDAP Sync during the Oracle Identity Manager Server configuration.



OIMProviderURL=t3://localhost:ManagedServerPort

For example:

OIMProviderURL=t3://localhost:14000

■ LDAPURL - Specify the URL for the OVD instance.

If OVD server is selected during Oracle Identity Manager installation, then provide value for LDAPURL. If OVD server is not selected during Oracle Identity Manager installation, then leave LDAPURL blank.

LDAPURL=ldap://<OVD server>:<OVD Port>

For example:

LDAPURL=ldap://OVDserver.examplehost.exampledomain.com:6501

■ LDAPAdminUsername - Specify the user name for the OVD Administrator.

If OVD server is selected during Oracle Identity Manager installation, then provide the Admin user name to connect to LDAP/OVD Server.

For example:

LDAPAdminUsername=cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

Note: If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, after enabling LDAPSync, do not specify the value for the LDAPURL parameter. Leave LDAPURL blank. For example: LDAPURL=

Enter OVD server and OVD port number and specify the URL as value only if you are using Oracle Virtual Directory (OVD) as the directory server.

Notes:

■ LDAPAdminUsername is the name of user used to connect to Identity Store. For example: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

This LDAPAdminUsername should not be located in the user container where customer's user accounts reside. For example: cn=Users,cn=oracleAccounts,dc=mycompany,dc=com. This user should be outside the search scope in order to avoid reconciliation of this user into OIM.

■ If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, after enabling LDAPSync, do not specify the value for the LDAPAdminUsername parameter. Leave LDAPAdminUsername blank. For example: LDAPAdminUsername=

Enter the OVD user admin name as value only if you are using Oracle Virtual Directory (OVD) as the directory server.



■ LIBOVD_PATH_PARAM - Specify the configuration directory path of libOVD.

If OVD server is not selected during Oracle Identity Manager installation, then provide the following value for this parameter:

LIBOVD_PATH_PARAM=<Middleware_Home>/user_projects/domains/base_domain/config/fmwconfig/ovd/oim

■ ChangeLogNumber - Leave this parameter blank.

3. Ensure the required environment variables are set, as described in "Setting Up Environment Variables".

4. Start the Oracle Identity Manager Managed Server. For more information, see Starting the Servers.

5. The utility and the properties files are located in the server/ldap_config_util directory under your IAM_Home. IAM_Home is the Oracle Identity and Access Management home directory for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

On the command line, run the LDAP configuration post-setup script as follows:

On Windows:

LDAPConfigPostSetup.bat <location of the directory containing the ldapconfig.props file>

For example:

LDAPConfigPostSetup.bat c:\Oracle\Middleware\IAM_Home\server\ldap_config_util

On UNIX:

LDAPConfigPostSetup.sh <location of the directory containing the ldapconfig.props file>

For example:

LDAPConfigPostSetup.sh <MW_Home>/IAM_Home/server/ldap_config_util

6. When prompted, enter the OIM administrator’s password and the LDAP administrator password as applicable.

Notes:

■ If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, after enabling LDAPSync, specify the value for this property similar to the example given above.

■ If OVD server is selected during Oracle Identity Manager installation, then leave this parameter blank. For example: LIBOVD_PATH_PARAM=



5.7.7 Verifying the LDAP SynchronizationTo verify the configuration of LDAP with Oracle Identity Manager, complete the following steps:

1. Ensure that the WebLogic Administration Server and the Oracle Identity Manager Managed Server is up and running.

2. Invoke the Oracle Identity Manager Administration Console (http://<host>:<port>/sysadmin), which is deployed on the Administration Server.

3. In this console, click Search under Configurations -> Manage IT Resource. If the LDAP information is correct, the resource information is displayed. You must verify the values provided during the Oracle Identity Manager configuration when enabling LDAPSync with the parameter values here like Search Base, Reservation Container, URL, bind DN.

For more information, see “Managing IT Resources” in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

4. Create a normal user using the Oracle Identity Manager Self Service Console:

http://<host>:<port>/identity

5. If a user is created, verify the creation in the chosen LDAP store or OVD using any ldap client.

5.7.8 Post-Configuration StepsAfter installing and configuring Oracle Identity Manager Server, you must complete the following manual steps:

■ Set the XEL_HOME variable in the setenv script (setenv.bat on Windows, and setenv.sh on UNIX) as follows:

On Windows:

Notes:

■ If you have selected Active Directory or ODSEE or OUD as the directory server during Oracle Identity Manager installation, then after enabling LDAPSync when you run this utility, it will prompt only for the OIM admin password. This OIM admin password is the xelsyadm password.

■ If you have selected OVD as the directory server during Oracle Identity Manager installation, then after enabling LDAPSync when you run this utility, it will prompt for following passwords:

LDAP admin password- LDAP admin password is the OVD server's admin password.

OIM admin password- LDAP admin password is the xelsyadm password.

Note: Ensure that the chosen Directory server or OVD, and Oracle Identity Manager are up and running.



Open the <IAM_Home>\server\bin\setenv.bat file and search for XEL_HOME variable. Update the path of the XEL_HOME variable to the absolute path of <IAM_Home>\server.

For example, if your IAM_Home is the C:\oracle\Middleware\IAM_Home directory, then set XEL_HOME in the setenv.bat file to the C:\oracle\Middleware\IAM_Home\server directory.

On UNIX:

Open the <IAM_Home>/server/bin/setenv.sh file and search for XEL_HOME variable.Update the path of the XEL_HOME variable to the absolute path of <IAM_Home>/server.

For example, if your IAM_Home is the /test/Middleware/IAM_Home directory, then set XEL_HOME in the setenv.sh file to the /test/Middleware/IAM_Home/server directory.

■ If you are extending an Oracle Identity Manager domain to include Oracle Privileged Account Manager, you must complete the following steps:

1. Go to <DOMAIN_HOME>/config/fmwconfig directory. Create a backup of the jps-config.xml file.

2. Edit the jps-config.xml file. Locate the section of the file containing jpsContexts, as shown below:

<jpsContexts default="default"> <jpsContext name="default"> <serviceInstanceRef ref="credstore.db"/> <serviceInstanceRef ref="keystore.db"/> <serviceInstanceRef ref="policystore.db"/> <serviceInstanceRef ref="audit.db"/> <serviceInstanceRef ref="idstore.oim"/> <serviceInstanceRef ref="trust"/> <serviceInstanceRef ref="pdp.service"/> <serviceInstanceRef ref="attribute"/> <serviceInstanceRef ref="sso.inst.0"/> </jpsContext>

3. Make a copy of the above entry and change <jpsContext name="default"> to <jpsContext name="oim">

4. Edit the original entry and change <serviceInstanceRef ref="idstore.oim"/> to <serviceInstanceRef ref="idstore.ldap"/>

5. After you have edited the file, the final version of the file should look like the one shown below:

<jpsContexts default="default"> <jpsContext name="default"> <serviceInstanceRef ref="credstore.db"/> <serviceInstanceRef ref="keystore.db"/> <serviceInstanceRef ref="policystore.db"/> <serviceInstanceRef ref="audit.db"/> <serviceInstanceRef ref="idstore.ldap"/> <serviceInstanceRef ref="trust"/> <serviceInstanceRef ref="pdp.service"/> <serviceInstanceRef ref="attribute"/> <serviceInstanceRef ref="sso.inst.0"/> </jpsContext> <jpsContext name="oim">



<serviceInstanceRef ref="credstore.db"/> <serviceInstanceRef ref="keystore.db"/> <serviceInstanceRef ref="policystore.db"/> <serviceInstanceRef ref="audit.db"/> <serviceInstanceRef ref="idstore.oim"/> <serviceInstanceRef ref="trust"/> <serviceInstanceRef ref="pdp.service"/> <serviceInstanceRef ref="attribute"/> <serviceInstanceRef ref="sso.inst.0"/> </jpsContext>

6. Save the jps-config.xml file.


8. Click on Identity and Access > oim > oim(11.1.1.2.0). Right-click and select System MBean Browser. The System MBean Browser page is displayed.

9. Select Application Defined MBeans.

10. Under Application Defined MBeans, select oracle.as.soainfra.config > Server:<soa_server> > WorkflowIdentityConfig > human-workflow > WorkflowIdentityConfig.ConfigurationType > jazn.com > WorkflowIdentityConfig.ConfigurationType.ProviderType > JpsProvider > WorkflowIdentityConfig.ConfigurationType.ProviderType.PropertyType

11. Click on jpsContextName and change the Value to oim.

12. Click Apply.

13. Restart the WebLogic Administration Server, SOA Managed Server, and Oracle Identity Manager Managed Server, as described in Appendix C.1, "Starting the Stack"

5.7.9 Setting oamEnabled Parameter for Identity Virtualization LibraryFollow these steps for setting oamEnabled parameter. You must set oamEnabled parameter to true only if you want to integrate Oracle Identity Manager and Oracle Access Management at a later time. This procedure applies only if you use Identity Virtualization Library.

1. Log in into Oracle Enterprise Manager Fusion Middleware Control at

http://adminvhn.mycompany.com:7001/em as user weblogic.

2. Go to Weblogic Domain -> base_domain. Right click on Oim(11.1.1.3.0), and click System Mbean Browser.

3. Go to: Application defined MBeans -> com.oracle -> Domain:base_domain -> OVD

Note: Before logging in to Oracle Enterprise Manager Fusion Middleware Control, ensure that the Oracle Identity Manager Managed server is up and running.

Optional: Configuring Oracle Identity Manager Design Console


4. You will see AdaptersConfig options. Click on the one that has a plus (+) symbol, indicating a subtree. Then click on OVDAdaptersConfig. You should see CHANGELOG_oid1 and oid1.

5. Configure oamenabled in both the adapters.

Follow these steps to configure oamenabled in the Changelog adapter:

a. Click on CHANGELOG_oid1 and keep going down the tree until the very end. You should see changelog with a bean symbol. Double click on changelog.

b. Click on the operations subtab.

c. Click on removeParam operation.

d. Enter oamEnabled in the textbox and click invoke. It should give you a false or a true.

e. Return to the original page with operations.

f. Click on AddParam operation.

g. Edit the names and values to contain oamEnabled and true.

h. Click invoke to complete the addParam operation.

Follow these steps to configure oamenabled in the Usermanagement adapter:

a. Click on oid1 and keep going down the tree until the very end. You should see UserManagement with a bean symbol. Double click on UserManagement.

b. Click on the operations subtab.

c. Click on removeParam operation.

d. Enter oamEnabled in the textbox and click invoke. It should give you a false or a true.

e. Return to the original page with operations.

f. Click on AddParam operation.

g. Edit the names and values to contain oamEnabled and true.

h. Click invoke to complete the addParam operation.

6. Restart Oracle Identity Manager Managed Server and SOA Managed Server.

5.7.10 Enabling LDAP Sync after Installing and Configuring Oracle Identity Manager Server at a Later Point

LDAP Sync can be enabled at any point after installing and configuring Oracle Identity Manager Server. For more information on enabling LDAP Sync after installing and configuring Oracle Identity Manager Server, see "Enabling LDAP Synchronization in Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

5.8 Optional: Configuring Oracle Identity Manager Design ConsoleThis topic describes how to install and configure only Oracle Identity Manager Design Console, which is supported on Windows operating systems only.






■ Dependencies

■ Procedure

■ Post-Configuration Steps

■ Updating the xlconfig.xml File to Change the Port for Design Console

■ Configuring Design Console to Use SSL

5.8.1 Appropriate Deployment EnvironmentPerform the installation and configuration in this topic if you want to install Oracle Identity Manager Design Console on a separate Windows machine where Oracle Identity Manager Server is not configured. For more information, see Scenario 1: Oracle Identity Manager Server and Design Console on Different Machines.

5.8.2 Components DeployedPerforming the installation and configuration in this section deploys only Oracle Identity Manager Design Console on the Windows operating system.

5.8.3 DependenciesThe installation and configuration in this section depends on the installation of Oracle Identity and Access Management 11g software and on the configuration of Oracle Identity Manager Server. For more information, see Installing Oracle Identity and Access Management (11.1.2) and Configuring Oracle Identity Manager Server.

5.8.4 ProcedurePerform the following steps to install and configure only Oracle Identity Manager Design Console on the Windows operating system:

1. Ensure that all the prerequisites, described in Prerequisites for Configuring Only Oracle Identity Manager Design Console on a Different Machine, are satisfied. In addition, see Important Notes Before You Start Configuring Oracle Identity Manager.

2. On the Windows machine where Oracle Identity Manager Design Console should be configured, start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard. The Welcome screen appears.


On the Components to Configure screen, select only the OIM Design Console check box. Click Next. The OIM Server Host and Port screen appears.

4. On the OIM Server Host and Port screen, enter the host name of the Oracle Identity Server Manager Server in the OIM Server Hostname field. In the OIM Server Port field, enter the port number for the Oracle Identity Manager Server on which the Oracle Identity Manager application is running. Click Next. The Configuration Summary screen appears.

The Configuration Summary screen lists the application that you selected for configuration and summarizes your configuration options, such as OIM Server host name and port.



Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing this configuration of the Oracle Identity Manager Design Console, click Configure.

After you click Configure, the Configuration Progress screen appears. A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.

5. Click Finish.

5.8.5 Post-Configuration StepsComplete the following steps after configuring the Oracle Identity Manager Design Console on the Windows operating system:

1. On the machine where Oracle WebLogic Server is installed (the machine where Oracle Identity Manager Server is installed), create the wlfullclient.jar file as follows:

a. Use the cd command to move from your present working directory to the <MW_HOME>\wlserver_10.3\server\lib directory.

b. Ensure that JAVA_HOME is set, as in the following example:

D:\oracle\<MW_HOME>\jdk160_24

To set this variable, right-click the My Computer icon and select Properties. The System Properties screen is displayed. Click the Advanced tab and click the Environment Variables button. The Environment Variables screen is displayed. Ensure that the JAVA_HOME variable in the User Variables section is set to the path of the JDK directory installed on your machine.

After setting the JAVA_HOME variable, select the Path variable in the System Variables section on the same Environment Variables screen, and click Edit. The Edit System Variable dialog box is displayed. In the variable value field, enter the complete path to your JAVA_HOME, such as D:\oracle\<MW_HOME>\jdk160_24, preceded by a semicolon (;). The semicolon is used as the delimiter for multiple paths entered in this field.

c. After verifying the values, click OK.

2. Use the following steps to create a wlfullclient.jar file for JDK 1.6 client application:


Note: If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.



a. Change directories to the server/lib directory.

cd WL_HOME/server/lib

b. Use the following command to create wlfullclient.jar in the server/lib directory:

java -jar wljarbuilder.jar

This command generates the wlfullclient.jar file.

3. Copy the wlfullclient.jar file to the <IAM_Home>\designconsole\ext\ directory on the machine where Design Console is configured.

4. Ensure that the Administration Server and the Oracle Identity Manager Managed Server are started. For information about starting the servers, see Starting the Stack.

5. Start the Design Console client by running the xlclient.cmd executable script, which is available in the <IAM_Home>\designconsole\ directory.

6. Log in to the Design Console with your Oracle Identity Manager user name and password.

5.8.6 Updating the xlconfig.xml File to Change the Port for Design ConsoleTo update the xlconfig.xml file and start the Design Console on a new port as opposed to what was set during configuration, complete the following steps:

1. In a text editor, open the <IAM_Home>\designconsole\config\xlconfig.xml file.

2. Edit the following tags:

■ ApplicationURL

■ java.naming.provider.url

3. Change the port number.

4. Restart the Design Console.

5.8.7 Configuring Design Console to Use SSLTo configure the Design Console to use SSL, complete the following steps:

1. Add the WebLogic Server jar files required to support SSL by copying the webserviceclient+ssl.jar file from the <WL_HOME>/server/lib directory to the <IAM_Home>/designconsole/ext directory.

2. Use the server trust store in Design Console as follows:

a. Log in to the Oracle WebLogic Administration Console using the WebLogic administrator credentials.

b. Under Domain Structure, click Environment > Servers. The Summary of Servers page is displayed.

Note: You do not have to perform this procedure during installation. It is required if you want to change ports while using the product. You must ensure that the Oracle Identity Manager server port is changed to this new port before performing these steps.

Optional: Configuring Oracle Identity Manager Remote Manager


c. Click on the Oracle Identity Manager server name (for example, oim_server1). The Settings for oim_server1 is displayed.

d. Click the Keystores tab.

e. From the Trust section, note down the path and file name of the trust keystore.

3. Set the TRUSTSTORE_LOCATION environment variable as follows:

■ If Oracle Identity Manager Design Console and Oracle Identity Manager Server are installed and configured on the same machine, set the TRUSTSTORE_LOCATION environment variable to the location of the trust keystore that you noted down.

For example, setenv TRUSTSTORE_LOCATION=/test/DemoTrust.jks

■ If Oracle Identity Manager Design Console and Oracle Identity Manager Server are installed and configured on different machines, copy the trust keystore file to the machine where Design Console is configured. Set the TRUSTSTORE_LOCATION environment variable to the location of the copied trust keystore file on the local machine.

4. If the Design Console was installed without SSL enabled, complete the following steps:

a. Open the <IAM_Home>/designconsole/config/xlconfig.xml file in a text editor.

b. Edit the <ApplicationURL> entry to use HTTPS, T3S protocol, and SSL port to connect to the server, as in the following example:

<ApplicationURL>https://<host>:<sslport>/xlWebApp/loginWorkflowRenderer.do</ApplicationURL>

c. Save the file and exit.

5.9 Optional: Configuring Oracle Identity Manager Remote ManagerThis topic describes how to install and configure only Oracle Identity Manager Remote Manager. It includes the following sections:



■ Dependencies

■ Procedure

5.9.1 Appropriate Deployment EnvironmentPerform the installation and configuration in this topic if you want to install Oracle Identity Manager Remote Manager on a separate machine. For more information, see

Note: For a clustered installation, you can send an https request to only one of the servers in the cluster, as shown in the following element:

<java.naming.provider.url>t3s://<host>:<sslport></java.naming.provider.url>

Optional: Configuring Oracle Identity Manager Remote Manager


Scenario 2: Oracle Identity Manager Server and Remote Manager on Different Machines.

5.9.2 Components DeployedPerforming the installation and configuration in this section deploys only Oracle Identity Manager Remote Manager.

5.9.3 DependenciesThe installation and configuration in this section depends on the installation of Oracle Identity and Access Management 11g software and on the configuration of Oracle Identity Manager Server. For more information, see Installing Oracle Identity and Access Management (11.1.2) and Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different Machine.

5.9.4 ProcedurePerform the following steps to install and configure only Oracle Identity Manager Remote Manager:

1. Ensure that all the prerequisites, described in Prerequisites for Configuring Only Oracle Identity Manager Remote Manager on a Different Machine, are satisfied. In addition, see Important Notes Before You Start Configuring Oracle Identity Manager.

2. On the machine where Oracle Identity Manager Remote Manager should be configured, start the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard. The Welcome screen appears.


On the Components to Configure screen, select only the OIM Remote Manager check box. Click Next. The Remote Manager screen appears.

4. On the Remote Manager screen, enter the service name in the Service Name field. Oracle Identity Manager Remote Manager will be registered under this service name. The service name is used with the Registry URL to a build fully qualified service name, such as rmi://host:RMI Registry Port/service name.

5. In the RMI Registry Port field, enter the port number on which the RMI registry should be started. The default port number is 12345.

6. In the Listen Port (SSL) field, enter the port number on which a secure socket is opened to listen to client requests. The default port number is 12346. Click Next. The Keystore Password screen appears.

7. On the KeyStore Password screen, in the KeyStore Password field, enter a new password for the keystore. A valid password contains 6 to 30 characters, begins with an alphabetic character, and uses only alphanumeric characters and special characters like Dollar ($), Underscore (_), and Pound (#). The password must contain at least one number. In the Confirm KeyStore Password field, enter the new password again. Click Next. The Configuration Summary screen appears.

8. The Configuration Summary screen lists the application that you selected for configuration and summarizes your configuration options, such as Remote Manager Service Name, RMI Registry Port, and Remote Manager Listen Port (SSL).

Verifying the Oracle Identity Manager Installation


Review this summary and decide whether to start the configuration. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing this configuration of the Oracle Identity Manager Remote Manager, click Configure.

9. After you click Configure, the Configuration Progress screen appears. A configuration log is saved to the logs directory under Oracle Inventory directory. For information about the log files, see Installation Log Files. If the Configuration Progress screen displays any errors, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard.

10. Click Finish.

5.10 Verifying the Oracle Identity Manager InstallationBefore you can verify the Oracle Identity Manager installation, ensure that the following servers are up and running:

■ Administration Server for the domain in which the Oracle Identity Manager application is deployed

■ Managed Server hosting Oracle Identity Manager

■ Managed Server hosting the Oracle SOA 11g suite

You can verify your Oracle Identity Manager installation by:

■ Checking the Oracle Identity Manager System Administration URL, such as http://<Hostname>:<Port>/sysadmin

■ Checking the Oracle Identity Manager Self Service URL, such as http://<Hostname>:<Port>/identity

■ Verifying the configuration between Oracle Identity Manager and Oracle SOA (BPEL Process Manager) as follows:

a. Log in to the SOA Infrastructure with WebLogic credentials to verify whether the composite applications are displayed.

http://<host>:<bpel_port>/soa-infra


Note: Oracle Identity Manager Server certificates, such as xlserver.cert, are created in the DOMAIN_HOME/config/fmwconfig/ directory. You can use these certificates if you require server-side certificates for configuring Oracle Identity Manager Remote Manager.

If the configuration fails, click Abort to stop the installation and restart the Oracle Identity Manager Configuration Wizard, as described in Starting the Oracle Identity Manager 11g Configuration Wizard.

Setting Up Integration with Oracle Access Management


b. Log in to the Oracle Identity Manager Self Service Console as an end user:

http://<host>:<oim_port>/identity

c. Navigate to My Information. Modify any attribute and click Save. This should raise a request. Logout from self service console.

d. Log in to the Oracle Identity Manager Self Service Console as xelsysadm.

e. Navigate to Pending Approvals. In the list of tasks, verify whether the request has come for approval.

f. Click on the task, and click Approve in the Actions tab.

g. Click on the refresh icon. The request comes back. Approve it again.

h. Navigate to Track Requests and verify whether the request is completed.

i. Navigate to Users and verify whether the user profile is modified.

■ Logging in to the Design Console, with xelsysadm, and the appropriate password. A successful login indicates that the installation was successful.

■ Starting the Remote Manager service by running remotemanager.sh or remotemanager.bat, as appropriate. (remotemanager.sh on UNIX or remotemanager.bat on Windows resides in your Oracle Home directory under a folder named remote_manager.

5.11 Setting Up Integration with Oracle Access ManagementFor information about setting up integration between Oracle Identity Manager and Oracle Access Manager, see "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

5.12 List of Supported LanguagesOracle Identity Manager supports the following languages:

Arabic, Brazilian Portuguese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Romanian, Russian, Simplified Chinese, Slovak, Spanish, Swedish, Thai, Traditional Chinese, and Turkish

5.13 Using the Diagnostic DashboardDiagnostic Dashboard is a stand-alone application that helps you validate some of the Oracle Identity Manager prerequisites and installation.

You must have the appropriate system administrator permissions for your Application Server and Oracle Identity Manager environments to use this tool. You need DBA-level permissions to execute some database-related tests.

Note: The Diagnostic Dashboard and Oracle Identity Manager must be installed on the same application server.

For more information about installing and using the Diagnostic Dashboard for Oracle Identity Manager, see the "Working with the Diagnostic Dashboard" topic in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

Getting Started with Oracle Identity Manager After Installation


5.14 Getting Started with Oracle Identity Manager After InstallationAfter installing Oracle Identity Manager, refer to "Oracle Identity Manager System Administration Interface" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Getting Started with Oracle Identity Manager After Installation


6

Configuring Oracle Access Management 6-1

6Configuring Oracle Access Management

This chapter explains how to configure Oracle Access Management. It includes the following topics:

■ Overview


■ Installation and Configuration Roadmap for Oracle Access Management

■ Optional: Setting Up TDE for Oracle Access Management

■ Oracle Access Management in a New WebLogic Domain


■ Optional Post-Installation Tasks

■ Verifying the Oracle Access Management Installation

■ Setting Up Oracle Access Manager Agents

■ Setting Up Integration with OIM

■ Getting Started with Oracle Access Management After Installation

6.1 OverviewOracle Identity and Access Management 11g Release 2 (11.1.2) contains Oracle Access Management which includes the following services:





6.2 Important Note Before You BeginBefore you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this guide, note that IAM_Home is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server,

Note: For an introduction to the Oracle Access Management, see "Oracle Product Introduction" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Installation and Configuration Roadmap for Oracle Access Management


Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.

6.3 Installation and Configuration Roadmap for Oracle Access Management

Table 6–1 lists the tasks for installing and configuring Oracle Access Management.

Table 6–1 Installation and Configuration Flow for Oracle Access Management
















Oracle Access Management is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.



For more information, see Section 6.5, "Oracle Access Management in a New WebLogic Domain".

Optional: Setting Up TDE for Oracle Access Management


6.4 Optional: Setting Up TDE for Oracle Access ManagementComplete the following steps to set up Transparent Data Encryption (TDE) for Oracle Access Management:

1. Add the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file of the database.

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=<DB_WALLET_DIRECTORY>)))

2. Restart the database.

3. Run the following sql queries as SYSDBA to create the encrypted tablespace:

a. ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<PASSWORD>"

b. CREATE TABLESPACE <TABLESPACE_NAME> EXTENT MANAGEMENT LOCAL AUTOALLOCATE SEGMENT SPACE MANAGEMENT AUTO DATAFILE '<DATA_FILE_LOCATION>' SIZE 100M AUTOEXTEND ON NEXT 50M MAXSIZE UNLIMITED ENCRYPTION DEFAULT STORAGE(ENCRYPT);

After setting up Transparent Data Encryption (TDE) for Oracle Access Management, run the Oracle Fusion Middleware Repository Creation Utility (RCU) to create Oracle Access Management schemas. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".


11 Start the servers. You must start the Administration Server and all Managed Servers. For more information, see Section 6.6, "Starting the Servers".


■ Section 6.7, "Optional Post-Installation Tasks"

■ Section 6.8, "Verifying the Oracle Access Management Installation"

■ Section 6.9, "Setting Up Oracle Access Manager Agents"

■ Section 6.10, "Setting Up Integration with OIM"

■ Section 6.11, "Getting Started with Oracle Access Management After Installation"

Note: For ENCRYPTION parameter, you can choose to use DEFAULT or specify any other option.

Note: When you create the Oracle Access Management schemas using RCU, in the Map Tablespaces screen, use the tablespace that you created for Oracle Access Management in step 3b.

For more information, see "Map Tablespaces" topic in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

Table 6–1 (Cont.) Installation and Configuration Flow for Oracle Access Management


Oracle Access Management in a New WebLogic Domain


6.5 Oracle Access Management in a New WebLogic DomainThis topic describes how to configure Oracle Access Management in a new WebLogic domain.




■ Dependencies

■ Procedure

6.5.1 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to install only Oracle Access Management in an environment where you may add other Oracle Identity and Access Management 11g components, such as Oracle Identity Navigator, Oracle Identity Manager, and Oracle Adaptive Access Manager at a later time in the same domain.

6.5.2 Components DeployedPerforming the configuration in this section deploys the following Oracle Access Management components:








■ Database schemas for Oracle Access Management. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

6.5.4 ProcedurePerform the following steps to configure Oracle Access Management in a new WebLogic domain:


The Oracle Fusion Middleware Configuration Wizard appears.

2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next. The Select Domain Source screen appears.


Oracle Access Management in a New WebLogic Domain


Select Oracle Access Management - 11.1.2.0.0 [IAM_Home], and click Next. The Specify Domain Name and Location screen appears.



6. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next. The Configure JDBC Component Schema screen appears.

7. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema or the OPSS Schema, that you want to modify.


8. On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines. Click Next.


■ Name

■ Listen address

■ Listen port

■ SSL listen port


10. Optional: Configure Managed Servers, as required.

11. Optional: Configure Clusters, as required.


12. Optional: Assign Managed Servers to clusters, as required.

Note: When you select the Oracle Access Management - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:



Note: If you want to configure the Managed Server on the same machine, ensure that the port is different from that of the Administration Server.



13. Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

14. If the Administration Server is not assigned to a machine, you can assign it to a machine.

Note that deployments, such as applications and libraries, and services that are targeted to a particular cluster or server are selected, by default.

15. Assign the newly created Managed Server, such as oam_server1, to a machine.

16. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

A new WebLogic domain to support Oracle Access Management is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

6.6 Starting the ServersAfter installing and configuring Oracle Access Management, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Appendix C.1, "Starting the Stack". Ensure that you start the Oracle Access Management Administration Server before starting the Managed Servers.

6.7 Optional Post-Installation TasksAfter installing and configuring Oracle Access Management, you can perform the following optional tasks:

■ Configure your own LDAP to use instead of the default embedded LDAP, which comes with Oracle WebLogic Server.

■ Configure a policy store to protect resources.

■ Add more Managed Servers to the existing domain.

■ Add a Managed Server instance.


Notes:

■ After configuring Oracle Access Management in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

■ After you configure Oracle Access Management, only Oracle Access Manager is enabled by default. To enable other Oracle Access Management components, such as OSTS, OIF, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Setting Up Oracle Access Manager Agents


For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

6.8 Verifying the Oracle Access Management InstallationAfter completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Access Management as follows:

1. Ensure that the Administration Server and the Managed Server are up and running.

2. Log in to the Administration Console for Oracle Access Management using the URL: http://<adminserver-host>:<adminserver-port>/oamconsole

When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator’s role and privileges.

3. Verify the Oracle WebLogic Server Administration Console. If the installation and configuration of Oracle Access Management is successful, this console shows the Administration Server in running mode.

6.9 Setting Up Oracle Access Manager Agents Setting up an Agent involves the following steps:

1. Installing and Configuring the Agent

2. Registering Agents and Applications by Using the Console

3. Restarting the WebLogic Managed Servers

6.9.1 Installing and Configuring the AgentYou can set up the following Agents for Oracle Access Manager.

■ Oracle HTTP Server WebGate

■ OSSO Agent (mod_osso)

■ OpenSSO Agents

6.9.1.1 Setting Up Oracle HTTP Server WebGateOracle HTTP Server WebGate is a Web server plug-in that is available with Oracle Access Manager. The Oracle HTTP Server WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. Oracle HTTP Server WebGate installation packages are found on media and virtual media that is separate from the core components.

You can install the following Oracle HTTP Server WebGate Agents:

■ Oracle HTTP Server 11g WebGate

■ Oracle HTTP Server 10g WebGate

6.9.1.1.1 Installing and Configuring Oracle HTTP Server 11g WebGate

To install and configure Oracle HTTP Server 11g WebGate, complete the following steps:

Setting Up Oracle Access Manager Agents


1. Install Oracle HTTP Server 11g WebGate for Oracle Access Manager, as described in Chapter 12, "Installing and Configuring Oracle HTTP Server 11g Webgate for Oracle Access Manager".

2. Complete the post-installation steps and the registration setup, as described in Section 12.4, "Post-Installation Steps" and Section 12.6, "Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager".

6.9.1.1.2 Installing and Configuring Oracle HTTP Server 10g WebGate

To install and configure Oracle HTTP Server 10g WebGate, refer to the "About Installing Fresh OAM 10g Webgates to Use With OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

6.9.1.2 Setting Up the OSSO AgentOSSO Agent (mod_osso) is used by Oracle HTTP Server to check for an existing, valid Oracle HTTP Server cookie. If necessary, it redirects to the Oracle Access Manager runtime server to communicate with the directory during authentication. In addition, it decrypts the encrypted user identity populated by the OSSO server and sets the headers with user attributes.

6.9.1.2.1 Installing mod_osso

To install mod_osso, complete the following steps:

1. Install the latest version of Oracle HTTP Server. For information about installing the Web Tier, including Oracle HTTP Server, see Section 12.2.3, "Installing and Configuring Oracle HTTP Server 11g".

2. After patching your Oracle Web Tier software to the latest version, run the configuration tool to configure Oracle HTTP Server.

On UNIX operating systems:

<Web_Tier_ORACLE_HOME>/bin/config.sh

On Windows operating systems:

<Web_Tier_ORACLE_HOME>\bin\config.bat

For complete instructions, go to "Configuring Your Components" in Oracle Fusion Middleware Installation Guide for Oracle Web Tier.

3. Copy the mod_osso.conf file from the <ORACLE_INSTANCE>/config/OHS/<OHS_INSTANCE>/disabled directory to the <ORACLE_INSTANCE>/config/OHS/<OHS_INSTANCE>/moduleconf directory.

4. Register mod_osso as a Partner Application.

For information about registering mod_osso as a Partner Application, refer to the "Registering and Managing OSSO Agents Using the Console" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. Note that the Administration Server must be up and running when you are registering mod_osso as a Partner Application.

Note: After you configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.

Setting Up Integration with OIM


5. Edit the mod_osso.conf file to update the location of the osso.conf file as follows:

<IfModule osso_module> OssoIpCheck off OssoIdleTimeout off OssoSecureCookies off OssoConfigFile <location of the osso.conf> <Location> require valid-user AuthType Osso </Location></IfModule osso_module>

6. Restart Oracle HTTP Server by running the restartproc command in Oracle Process Manager and Notification Server (OPMN) or by using Oracle Fusion Middleware Control. To restart all Oracle HTTP Server components in an Oracle instance use the following command:

$ORACLE_INSTANCE/bin/opmnctl restartproc process-type=OHS

6.9.1.3 Setting Up the OpenSSO AgentFor setting up the OpenSSO Agent, refer to the appropriate guide from the following link:

http://docs.oracle.com/cd/E19681-01/index.html

6.9.2 Registering Agents and Applications by Using the ConsoleFor information about registering agents and applications by using the console, refer to the following topics in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management:

■ "Registering Agents and Applications by Using the Console"

■ "Registering and Managing Webgates Using the Console"

■ "Registering and Managing OSSO Agents Using the Console"

■ "Registering and Managing OpenSSO Policy Agents Using the Console"

6.9.3 Restarting the WebLogic Managed ServersFor information about restarting Managed Servers, see Appendix C.1, "Starting the Stack".

6.10 Setting Up Integration with OIMFor information about setting up integration between Oracle Access Management and Oracle Identity Manager (OIM), see "Integrating Access Manager and Oracle Identity

Note: OpenSSO Agents (version 2.2 and 3.0) are supported with Oracle Access Manager 11gR2.

Note: Administration Server must be up and running when you are registering the Agents as a Partner Application.

Getting Started with Oracle Access Management After Installation


Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

6.11 Getting Started with Oracle Access Management After InstallationAfter installing Oracle Access Management, refer to the "Getting Started with Common Administration and Navigation" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Note: When you configure Oracle Access Management using the Oracle Access Management template, only Oracle Access Manager is enabled by default. For enabling other services including Security Token Service, Identity Federation, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

7

Configuring Oracle Adaptive Access Manager 7-1

7 Configuring Oracle Adaptive AccessManager

This chapter explains how to configure Oracle Adaptive Access Manager. It includes the following topics:

■ Overview


■ Installation and Configuration Roadmap for Oracle Adaptive Access Manager

■ Oracle Adaptive Access Manager in a New WebLogic Domain

■ Configuring Oracle Adaptive Access Manager (Offline)


■ Post-Installation Steps

■ Verifying the Oracle Adaptive Access Manager Installation

■ Migrating Policy and Credential Stores

■ Getting Started with Oracle Adaptive Access Manager After Installation

7.1 OverviewFor Oracle Identity and Access Management 11g Release 2 (11.1.2), Oracle Adaptive Access Manager includes two components:

■ Oracle Adaptive Access Manager (Online)

■ Oracle Adaptive Access Manager (Offline)

7.2 Important Note Before You BeginBefore you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this guide, note that IAM_Home is used

Note: Oracle Adaptive Access Manager (Offline) is included in the Oracle Identity and Access Management Suite. When you are installing Oracle Identity and Access Management 11g Release 2 (11.1.2), Oracle Adaptive Access Manager (Offline) is also installed along with Oracle Adaptive Access Manager. For configuring Oracle Adaptive Access Manager (Offline), see Section 7.5, "Configuring Oracle Adaptive Access Manager (Offline)".

Installation and Configuration Roadmap for Oracle Adaptive Access Manager


to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.

7.3 Installation and Configuration Roadmap for Oracle Adaptive Access Manager

Table 7–1 lists the tasks for installing and configuring Oracle Adaptive Access Manager.

Table 7–1 Installation and Configuration Flow for Oracle Adaptive Access Manager
















Oracle Adaptive Access Manager is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.



This chapter describes the following configuration scenarios:

■ Section 7.4, "Oracle Adaptive Access Manager in a New WebLogic Domain"

■ Section 7.5, "Configuring Oracle Adaptive Access Manager (Offline)"

Oracle Adaptive Access Manager in a New WebLogic Domain


7.4 Oracle Adaptive Access Manager in a New WebLogic DomainThis topic describes how to configure Oracle Adaptive Access Manager in a new WebLogic administration domain. It includes the following sections:



■ Dependencies

■ Procedure

7.4.1 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to install Oracle Adaptive Access Manager in an environment where you may install other Oracle Identity and Access Management 11g components, such as Oracle Identity Navigator, Oracle Access Management, or Oracle Identity Manager at a later time in the same domain.

You can use the Oracle Identity Navigator interface and dashboard to discover and launch the Oracle Adaptive Access Manager console from within Oracle Identity Navigator.

7.4.2 Components DeployedPerforming the configuration in this section deploys the following:

■ WebLogic Administration Server

■ Managed Servers for Oracle Adaptive Access Manager, depending on the Oracle Adaptive Access Manager Domain Configuration template you choose.

■ Oracle Adaptive Access Manager Console on the Administration Server.





11 Start the servers. You must start the Administration Server and all Managed Servers. For more information, see Section 7.6, "Starting the Servers".


■ Section 7.7, "Post-Installation Steps"

■ Section 7.8, "Verifying the Oracle Adaptive Access Manager Installation"

■ Section 7.9, "Migrating Policy and Credential Stores"

■ Section 7.10, "Getting Started with Oracle Adaptive Access Manager After Installation"

Table 7–1 (Cont.) Installation and Configuration Flow for Oracle Adaptive Access




■ Database schemas for Oracle Adaptive Access Manager. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

7.4.4 ProcedurePerform the following steps to configure only Oracle Adaptive Access Manager in a new WebLogic domain:




3. On the Select Domain Source screen ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_Home].

In addition, you can select the following:

■ Oracle Adaptive Access Manager - Server - 11.1.2.0.0 [IAM_Home]

■ Oracle Adaptive Access Manager Offline - 11.1.2.0.0 [IAM_Home]

Click Next. The Select Domain Name and Location screen appears.




7. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Admin Server Schema, the OPSS Schema, or the OAAM Admin MDS Schema, that you want to modify.

You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen

Note: When you select the Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:




When you select the Oracle Adaptive Access Manager - Server - 11.1.2.0.0 [IAM_Home] option, in addition to the templates mentioned above, the Oracle WSM Policy Manager - 11.1.1.0 [oracle_common] is also selected, by default.



appears. After the test succeeds, click Next. The Select Optional Configuration screen appears.

8. On the Select Optional Configuration screen, you can configure the Administration Server and Managed Servers, Clusters, and Machines, and Deployments and Services, and RDBMS Security Store. Click Next.


■ Name

■ Listen address

■ Listen port

■ SSL listen port


10. On the Select Optional Configuration screen, select Managed Servers, Clusters and Machines to configure the managed server. For more information, see "Configure Managed Servers" in the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard.



12. Optional: Assign Managed Servers to Clusters, as required.

13. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.





A new WebLogic domain to support Oracle Adaptive Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.


Note: After configuring Oracle Adaptive Access Manager in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

Configuring Oracle Adaptive Access Manager (Offline)


7.5 Configuring Oracle Adaptive Access Manager (Offline)This topic describes how to configure Oracle Adaptive Access Manager (Offline) in a new WebLogic domain. It includes the following topics:


■ Dependencies

■ Procedure



■ Oracle Adaptive Access Manager (Offline) application on the Oracle Adaptive Access Manager Managed Server




■ Database schemas for Oracle Adaptive Access Manager. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

7.5.3 ProcedurePerform the following steps to configure Oracle Adaptive Access Manager (Offline) in a new WebLogic domain:




3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Adaptive Access Manager Offline - 11.1.2.0.0 [IAM_Home].

Note: When you select the Oracle Adaptive Access Manager Offline - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:




Configuring Oracle Adaptive Access Manager (Offline)




5. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen appears.

6. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen. Click Next. The Configure JDBC Component Schema screen is displayed.

7. On the Configure JDBC Component Schema screen, select a component schema, such as the OAAM Offline Schema, the OPSS Schema, or the OAAM Admin MDS Schema that you want to modify. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears. After the test succeeds, click Next. The Select Optional Configuration screen appears.

8. On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes and click Next.

■ Optional: Configure the following Administration Server parameters:

– Name

– Listen Address

– Listen Port

– SSL Listen Port

– SSL Enabled

■ Optional: Add and configure Managed Servers, as required. Note that Oracle Entitlements Server does not require a Managed Server because the application is deployed on the WebLogic Administration Server.

■ Optional: Configure Clusters, as required.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the Oracle Fusion Middleware High Availability Guide.

■ Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

■ Optional: Assign the Administration Server to a machine.

■ Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

■ Optional: Configure RDBMS Security Store Database, as required.





A new WebLogic domain to support Oracle Adaptive Access Manager (Offline) is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

7.6 Starting the ServersAfter installing and configuring Oracle Adaptive Access Manager, you must run the Oracle WebLogic Administration Server and various Managed Servers, as described in Appendix C.1, "Starting the Stack". Ensure that you start the Oracle Adaptive Access Manager Administration Server before starting the Managed Servers.

7.7 Post-Installation StepsAfter installing and configuring Oracle Adaptive Access Manager, you must complete the following tasks:

1. Create Oracle WebLogic Server Users as follows:

a. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

b. Click on Security Realms, and then click on your security realm.

c. Click the Users and Groups tab, and then click the Users tab under it.

d. Create a user, such as user1, in the security realm.

e. Assign the user user1 to rule administrators and environment administrators groups.

2. Set up and back up Oracle Adaptive Access Manager Encryption Keys, as described in the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. Ensure that you have a backup of the Oracle Adaptive Access Manager Encryption Keys; they are required if you want to re-create the Oracle Adaptive Access Manager domain.

3. Import Snapshot of Policies as follows:

A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The snapshot is in the oaam_base_snapshot.zip file and located in the MW_HOME/IAM_ORACLE_HOME/oaam/init directory.

It contains the following items that must be imported into Oracle Adaptive Access Manager:

■ Challenge questions for English (United States)

During registration, which could be enrollment, opening a new account, or another events such as a reset, the user selects different questions from a list of questions and enters answers to them. These questions, called challenge questions, are used to authenticate users.

Note: After configuring Oracle Adaptive Access Manager (Offline) in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

Post-Installation Steps


Questions for the languages you want to support must be in the system before users can be asked to register. These questions may also be required to log in to Oracle Adaptive Access Manager Server.

■ Entity definitions

The actors that are tracked during authentication are called authentication entities and include user, city, device, and so on. These base entities are required to enable conditions that are used for patterns.

■ Out-of-the-box patterns

Patterns are used by Oracle Adaptive Access Manager to either define one bucket or dynamically create buckets. Oracle Adaptive Access Manager collects data and populates these buckets with members based on pattern parameters, and rules perform risk evaluations on dynamically changing membership and distributions of the buckets.

■ Out-of-the-box configurable actions

Configurable actions are actions that are triggered based on the result action or risk scoring or both after a checkpoint execution. The configurable actions are built using action templates.

■ Out-of-the-box policies

Policies are designed to help evaluate and handle business activities or potentially risky activities that are encountered in day-to-day operation.

■ Any groups

Collections of items used in rules, user groups, and action and alert groups are shipped with Oracle Adaptive Access Manager.

For upgrading policies, components, and configurations, perform a backup, and then import the separate file. The following are available:

■ Default questions are shipped in the oaam_kba_questions_<locale>.zip files, which are located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init/kba_questions directory. The locale identifier <locale> specifies the language version.

Note: If you are upgrading from Oracle Adaptive Access Manager 10.1.4.5 to Oracle Adaptive Access Manager 11g, you will see that the names and descriptions of the out-of-the-box action templates are slightly different, since the action templates in Oracle Adaptive Access Manager 11g are globalized and hence the difference.

Notes:

■ If you need to customize any properties, you should import the snapshot into your new test system, make the changes, export the snapshot, and import it into your new system. Alternatively you can import the snapshot on the new system and make the property changes directly, thereby eliminating the test system completely.



■ Base policies are shipped in the oaam_sample_policies_for_uio_integration.zip file, which is located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init directory.

■ Configurable action templates are shipped in the OOTB_Configurable_Actions.zip file, which is located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init directory.

■ Base-authentication required entities are shipped in the Auth_EntityDefinition.zip file, which is located in the <MW_HOME>/<IAM_ORACLE_HOME>/oaam/init directory.

4. Load Location Data into the Oracle Adaptive Access Manager database as follows:

a. Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

b. Make a copy of the sample.bharosa_location.properties file, which is located under the <MW_HOME>/<IAM_Home>/oaam/cli directory (on UNIX). On Windows, the sample.bharosa_location.properties file is located under the <MW_HOME>\<IAM_Home>\oaam\cli directory.

Enter location data details in the location.data properties, as in the following examples:

On Windows:

location.data.provider=quova

location.data.file=\\tmp\\quova\\EDITION_Gold_2008-07-22_v374.dat.gz

location.data.ref.file=\\tmp\\quova\\EDITION_Gold_2008-07-22_v374.ref.gz

location.data.anonymizer.file=\\tmp\\quova\\anonymizers_2008-07-09.dat.gz

On UNIX:

location.data.provider=quova

location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz

location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz

location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz

c. Run the loader on the command line as follows:

On Windows: loadIPLocationData.cmd

On UNIX: ./loadIPLocationData.sh

Note: For more information about policies, see "Importing the OAAM Snapshot" and "Managing Policies, Rules, and Conditions" topics in the Oracle Fusion Middleware Administrator’s Guide for Oracle Adaptive Access Manager.

Migrating Policy and Credential Stores


Ensure that the Oracle Middleware Home (MW_HOME) environment variable is set before running the loadIPLocationData script.

7.8 Verifying the Oracle Adaptive Access Manager InstallationAfter completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Adaptive Access Manager as follows:

1. Start the Administration Server to register the newly created managed servers with the domain. To start the Administration Server, run the following command:

■ On Windows: At the command prompt, run the startWebLogic script to start the Administration Server, as in the following example:

<MW_HOME>\user_projects\domains\base_domain\bin\startWebLogic

■ On UNIX: At the $ prompt, run the startWebLogic.sh script to start the Administration Server, as in the following example:

<MW_HOME>/user_projects/domains/base_domain/bin/startWebLogic.sh

2. Start the Managed Server, as described in Section 7.6, "Starting the Servers".

Wait for the Administration Server and the Managed Server to start up.

3. Log in to the Administration Server for Oracle Adaptive Access Manager, using the admin server username and password. Log in to the Administration Server using the following URL:

http://<host>:<oaam_admin_server1_port>/oaam_admin

4. Log in to the Oracle Adaptive Access Managed Server using the following URL:

https://<host>:<oaam_server_server1_sslport>/oaam_server

7.9 Migrating Policy and Credential StoresYou begin policy and credential store migration by creating the JPS root and then you reassociate the policy and credential store with Oracle Internet Directory.

Migrating policy and credential stores involves the following steps:

1. Creating JPS Root

2. Reassociating the Policy and Credential Store

7.9.1 Creating JPS RootCreate the jpsroot in Oracle Internet Directory using the command line ldapadd command as shown in these steps:

1. Create an ldif file similar to this:

dn: cn=jpsroot_iam

Note: If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Migrating Policy and Credential Stores


cn: jpsroot_iam_iamobjectclass: topobjectclass: orclcontainer

2. Use ORACLE_HOME/bin/ldapadd to add these entries to Oracle Internet Directory. For example:

ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -wwelcome1 -c -v -f jps_root.ldif

7.9.2 Reassociating the Policy and Credential StoreTo reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps:

1. From IAMHOST1, start the wlst shell from the ORACLE_HOME/common/bin directory. For example:

./wlst.sh

2. Connect to the WebLogic Administration Server using the wlst connect command shown below.

connect('AdminUser',"AdminUserPassword",t3://hostname:port')

For example:

connect("weblogic_iam,"welcome1","t3://iamhost-vip.mycompany.com:7001")

3. Run the reassociateSecurityStore command as shown below:

Syntax:

reassociateSecurityStore(domain="domainName",admin="cn=orcladmin",password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID",jpsroot="cn=jpsRootContainer")

For example:

wls:/IAMDomain/serverConfig> reassociateSecurityStore(domain="IAMDomain",admin="cn=orcladmin",password="password",ldapurl="ldap://oid.mycompany.com:389",servertype="OID",jpsroot="cn=jpsroot_iam_iamhost1")

The output for the command is as follows:

{servertype=OID, jpsroot=cn=jpsroot_iam, admin=cn=orcladmin,domain=IAMDomain, ldapurl=ldap://oid.mycompany.com:389, password=password}Location changed to domainRuntime tree. This is a read-only tree withDomainMBean as the root.For more help, use help(domainRuntime)

Starting Policy Store reassociation.LDAP server and ServiceConfigurator setup done.

Schema is seeded into LDAP serverData is migrated to LDAP serverService in LDAP server after migration has been tested to be availableUpdate of jps configuration is donePolicy Store reassociation done.Starting credential Store reassociationLDAP server and ServiceConfigurator setup done.

Getting Started with Oracle Adaptive Access Manager After Installation


Schema is seeded into LDAP serverData is migrated to LDAP serverService in LDAP server after migration has been tested to be availableUpdate of jps configuration is doneCredential Store reassociation doneJps Configuration has been changed. Please restart the server.

4. Restart the Administration Server after the command completes successfully. For information about restarting the Administration Server, see Appendix C.1, "Starting the Stack".

7.10 Getting Started with Oracle Adaptive Access Manager After Installation

After installing Oracle Adaptive Access Manager, refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Getting Started with Oracle Adaptive Access Manager After Installation


8

Installing and Configuring Oracle Entitlements Server 8-1

8Installing and Configuring OracleEntitlements Server

This chapter describes how to install and configure Oracle Entitlements Server 11g Release 2 (11.1.2).

It discusses the following topics:


■ Overview of Oracle Entitlements Server 11g Installation

■ Installation and Configuration Roadmap for Oracle Entitlements Server

■ Creating Oracle Entitlement Server Schemas (For Apache Derby Only)

■ Configuring Oracle Entitlements Server Administration Server

■ Installing Oracle Entitlements Server Client

■ Configuring Oracle Entitlements Server Client

■ Getting Started with Oracle Entitlements Server After Installation


8.2 Overview of Oracle Entitlements Server 11g InstallationOracle Entitlements Server, formerly AquaLogic Enterprise Security, is a fine-grained authorization and entitlement management solution that can be used to precisely control the protection of application resources. It simplifies and centralizes security for enterprise applications and SOA by providing comprehensive, reusable, and fully auditable authorization policies and a simple, easy-to-use administration model. For more information, see "Introducing Oracle Entitlements Server" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

Oracle Entitlements Server 11g includes two distinct components:

■ Oracle Entitlements Server Administration Server

Installation and Configuration Roadmap for Oracle Entitlements Server


■ Oracle Entitlements Server Client (Security Module)

Oracle Entitlements Server Administration ServerThis component is included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) installation and requires Oracle WebLogic Server that creates the Middleware Home directory.

Oracle Entitlements Server Client (Security Module)This component has its own installer and it is not included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) installation. The Oracle Entitlements Server Client does not require Oracle WebLogic Server.

8.3 Installation and Configuration Roadmap for Oracle Entitlements Server

Table 8–1 lists the tasks for installing and configuring Oracle Entitlements Server.

Table 8–1 Installation and Configuration Flow for Oracle Entitlements Server








4 Install one of the following database for the Oracle Entitlements Server policy store:

■ Oracle Database

■ Apache Derby 10.5.3.0, an evaluation database included in your Oracle WebLogic Server installation

Oracle recommends to install Oracle Database. If you are installing Oracle Database, see Section 3.2.2, "Database Requirements".

5 Create and load the appropriate schemas for Oracle Entitlements Server.

Depending on the policy store you choose for Oracle Entitlements Server, complete one of the following:

■ If you are using Oracle Database for Oracle Entitlements Server policy store, then you must create schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU).


■ If you are using Apache Derby for Oracle Entitlements Server policy store, you must create schemas for Oracle Entitlements Server as described in Section 8.4, "Creating Oracle Entitlement Server Schemas (For Apache Derby Only)".



Creating Oracle Entitlement Server Schemas (For Apache Derby Only)


8.4 Creating Oracle Entitlement Server Schemas (For Apache Derby Only)

If you are using Apache Derby for Oracle Entitlements Server policy store, then you must complete the following:

1. Open setNetworkServerCP (located in wlserver_10.3/common/derby/bin on UNIX) or setNetworkServerCP.bat (located in wlserver_10.3\common\derby\bin on Windows) in a text editor and specify the DERBY_HOME as shown in the following example:

DERBY_HOME="Oracle/Middleware/wlserver_10.3/common/derby"

2. Start the Apache Derby database by running the following commands:

■ setNetworkServerCP (UNIX) or setNetworkServerCP.bat (Windows).

■ startNetworkServer (located in wlserver_10.3/common/derby/bin on UNIX) or startNetworkServer.bat (located in wlserver_10.3\common\derby\bin on Windows).

You can also run startDerby.sh (located in wlserver_10.3/common/bin) or startDerby.cmd (located in wlserver_10.3\common\bin) to start the Apache Derby database. The Apache Derby database also starts automatically when you start Oracle WebLogic Server.

3. Test the network server connection, by running ij(located in wlserver_10.3/common/derby/bin on UNIX) or ij.bat (located in wlserver_10.3\common\derby\bin on Windows) as follows:

bin/ij

4. Connect to the Apache Derby Server, as shown in the following example:

ij> connect 'jdbc:derby://127.0.0.1:1527/data/oesdb;create=true';




Oracle Entitlements Server is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.


9 Run the Oracle Fusion Middleware Configuration Wizard to configure Oracle Entitlements Server Administration Server.

For more information, see Section 8.5, "Configuring Oracle Entitlements Server Administration Server".

10 Install the Oracle Entitlements Server Client software.

For more information, see Section 8.6, "Installing Oracle Entitlements Server Client".

11 Configure Oracle Entitlements Server Client.

For more information, see Section 8.7, "Configuring Oracle Entitlements Server Client".

12 Get started with Oracle Entitlements Server.

For more information, see Section 8.8, "Getting Started with Oracle Entitlements Server After Installation".

Table 8–1 (Cont.) Installation and Configuration Flow for Oracle Entitlements Server


Configuring Oracle Entitlements Server Administration Server


oesdb is the name of database and data is the relative path (based on the directory where you start the server. In this example, it is Oracle/Middleware/wlserver_10.3/common/derby/bin where the database files will be saved.

5. Open opss_user.sql (located in RCU_HOME/rcu/integration/apm/sql/derby) in a text editor and replace &&1 with the schema user name.

Repeat the above steps for the following SQL files (located in RCU_HOME/rcu/integration/apm/sql/derby):

■ opss_tables.sql

■ opss_version.sql

■ opss_gencatalog.sql

6. Run the following SQL files (located in RCU_HOME/rcu/integration/apm/sql/derby) in the ij console:

■ run’opss_user.sql’;

■ run’opss_tables.sql’;

■ run’opss_version.sql’;

■ run’opss_gencatalog.sql’;

8.5 Configuring Oracle Entitlements Server Administration ServerThis topic describes how to configure Oracle Entitlements Server in a new WebLogic domain. It includes the following sections:


■ Prerequisites

■ Configuring Oracle Entitlements Server in a New WebLogic Domain

■ Configuring Security Store for Oracle Entitlements Server Administration Server

■ Starting the Administration Server

■ Verifying Oracle Entitlements Server Administration Server Configuration



■ Oracle Entitlements Server application on the Administration Server

Note: This is the schema name you will specify when you configure the Oracle Entitlements Server described in Configuring Oracle Entitlements Server Administration Server.

Note: Ensure that you run the SQL files in the same order listed above and make a note of the schema owner and password that you have created.



8.5.2 PrerequisitesThe following are the prerequisites for configuring Oracle Entitlements Server 11g Release 2 (11.1.2):

■ Installing Oracle Entitlements Server

■ Extracting Apache Derby Template (Optional)

8.5.2.1 Installing Oracle Entitlements ServerYou must install Oracle Entitlements Server Administration Server as described in Section 8.3, "Installation and Configuration Roadmap for Oracle Entitlements Server".

8.5.2.2 Extracting Apache Derby Template (Optional)If you are using Apache Derby, then you must extract the oracle.apm_11.1.1.3.0_template_derby.zip file (located in IAM_HOME/common/templates/applications) and save oracle.apm_11.1.1.3.0_template_derby.jar file to the following location:

IAM_HOME\common\templates\applications

8.5.3 Configuring Oracle Entitlements Server in a New WebLogic DomainPerform the following steps to configure Oracle Entitlements Server in a new WebLogic domain:

1. Run the IAM_HOME/common/bin/config.sh script (on UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).

The Fusion Middleware Configuration Wizard appears.

2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

The Select Domain Source screen appears.


Select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option, and click Next.

Note: You must have a dedicated Oracle WebLogic Server domain for Oracle Entitlements Server. Do not configure any other Oracle Identity and Access Management components in this domain.



The Specify Domain Name and Location screen appears.

4. Enter a name and a location for the domain to be created, and click Next.

The Configure Administrator User Name and Password screen appears.

5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

The Configure Server Start Mode and JDK screen appears.

6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

The Configure JDBC Component Schema screen is displayed.

7. On the Configure JDBC Component Schema screen, select the OPSS Schema and specify the Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.

The Test JDBC Component Schema screen appears.

8. Select the component schema you want to test, and click Test Connections. After the test succeeds, click Next.

The Select Optional Configuration screen appears.

9. On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes, and click Next.

Notes:

■ When you select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option, the following options are also selected, by default:



■ If you using Apache Derby, then select the Oracle Entitlements Server Derby template.

Note: When you enter the user name and the password for the administrator, be sure to remember them.

Note: Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

Note: You get the Schema information from the steps you completed in Section 8.4, "Creating Oracle Entitlement Server Schemas (For Apache Derby Only)".




A new WebLogic domain to support Oracle Entitlements Server is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

8.5.4 Configuring Security Store for Oracle Entitlements Server Administration ServerYou must run the configureSecurityStore.py script to configure the security store for Oracle Entitlements Server Administration Server.

The configureSecurityStore.py script is located in the <IAM_HOME>\common\tools directory. You can use the -h option for help information about using the script.

For example:

<MW_HOME>\oracle_common\common\bin\wlst.sh <IAM_HOME>\common\tools\configureSecurityStore.py -h

Configure the security store for Oracle Entitlements Server Administration Server as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -s <datasource> -f <farmname> -t <servertype> -j <jpsroot> -m <mode> -p <password>

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -s <datasource> -f <farmname> -t <servertype> -j <jpsroot> -m <mode> -p <password>

For example:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1

Table 8–2 describes the parameters that you may specify on the command line.

Note: This step is optional.

Table 8–2 OES Administration Server Security Store Configuration Parameters


-d domaindir Location of the Oracle Entitlements Server Administration Server Domain.



-s datasource The data source of security store configured in domain.

It is optional, default value is opss-DBDS.

-f farmname The security store farm name.

It is optional, default value is the domain name.

-t servertype The policy store type. For example: DB_ORACLE , DB_DERBY, or OID.

It is optional, default value is DB_ORACLE.

-j jpsroot The distinguished name of jpsroot.

It is optional, default value is cn=jpsroot.

-m mode create- Use create if you want to create a new database security store.

join- Use join if you want to use an existing database security store for the domain.

validate- Use validate to verify whether the Security Store has been configured correctly. This command validates diagnostics data created during initial creation of the Security Store.

validatefix- Use validatefix to fix diagnostics data present in the Security Store.

fixjse- Use fixjse to update the domain's Database Security Store credentials used for access by JSE tools.

-c config The configuration mode of the domain. For example: IAM.

It is optional, default value is None.

Note: If -c <config> option is specified, OES Admin Server will be configured in mixed mode, then it can only distribute policies to Security Modules in non-controlled mode and controlled pull mode.

For example: If the OES Administration Server is deployed in the domain where other Oracle Identity and Access Management components (OIM, OAM, OAAM, OPAM, or OIN) are deployed, then the domain is configured in mixed mode. In this case, the OES Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by OES Security Modules.

If -c <config> option is not specified, OES Admin Server will be configured in non-controlled mode, it can distribute policies to Security Modules in controlled push mode.

For example: If you want to use OES Administration Server to manage custom applications which are protected by OES Security Modules, then the OES Administration Server must be deployed in a domain with non-controlled distribution mode.

-p password The OPSS schema password.

Table 8–2 (Cont.) OES Administration Server Security Store Configuration Parameters


Installing Oracle Entitlements Server Client


8.5.5 Starting the Administration ServerYou must start the Administration Server by running the following command on the command line:

Windows:

MW_HOME\user_projects\domains\domain_name\bin\startWebLogic.cmd

UNIX:

MW_HOME/user_projects/domains/domain_name/bin/startWebLogic.sh

8.5.6 Verifying Oracle Entitlements Server Administration Server ConfigurationTo verify that your Oracle Entitlements Server Administration Server configuration was successful, use the following URL to log in to the Oracle Entitlements Server Administration Console:

http://hostname:port/apm/

Where hostname is the DNS name or IP address of the Administration Server and port is the address of the port on which the Administration Server listens for requests.

For more information, see the section "Logging In to and Signing Out of the User Interface" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

8.6 Installing Oracle Entitlements Server ClientThis section contains the following topic:

■ Prerequisites

■ Obtaining Oracle Entitlements Server Client Software

■ Installing Oracle Entitlements Server Client

■ Verifying Oracle Entitlements Server Client Installation

■ Applying a Patch Using OPatch

8.6.1 PrerequisitesYou must install and configure Oracle Entitlements Server Administration Server, as described in Section 8.3, "Installation and Configuration Roadmap for Oracle Entitlements Server".

-k keyfilepath The directory containing the encryption key file ewallet.p12. If -m join is specified, this option is mandatory.

-w keyfilepassword The password used when the domain’s key file was generated. If -m join is specified, this option is mandatory.

-u username The user name of the OPSS schema. If -m fixjse is specified, this option is mandatory.

Table 8–2 (Cont.) OES Administration Server Security Store Configuration Parameters




8.6.2 Obtaining Oracle Entitlements Server Client SoftwareFor more information on obtaining Oracle Entitlements Server Client 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

8.6.3 Installing Oracle Entitlements Server ClientTo install Oracle Entitlements Server Client 11g Release 2 (11.1.2.0.0), extract the contents of oesclient.zip to your local directory and then run setup.exe (on Windows) or./runInstaller (on UNIX) from the Disk1 directory.

Follow the instructions in Table 8–3 to install Oracle Entitlements Server Client.

If you need additional help with any of the installation screens, click Help to access the online help.

Note: The installer prompts you to enter the absolute path of the JDK that is installed on your system. When you install Oracle WebLogic Server, the jdk160_29 directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JRE is located in C:\oracle\Middleware\jdk160_29, then launch the installer from the command prompt as follows:

C:\setup.exe -jreLoc C:\oracle\Middleware\jdk160_29\jre

You must specify the -jreLoc option on the command line when using the JDK to avoid installation issues.

Table 8–3 Installation Flow for the Oracle Entitlements Server Client

No. Screen Description and Action Required

1 Welcome Click Next to continue.

2 Prerequisite Checks If all prerequisite checks pass inspection, then click Next to continue.

3 Specify Installation Location In the Oracle Home Directory field, enter the directory where you want to install the Oracle Entitlements Server client. This directory is also referred to as OES_Client_Home in this book.

Note: If the Security Module you want to configure requires creation of a WebLogic domain, then you must install the Oracle Entitlements Server client in the Middleware Home that was created during WebLogic Server installation.

Oracle recommends that you install the Oracle Entitlements Server client in a separate directory in the same Middleware Home where the Oracle Entitlements Server Administration server is installed. For example, MW_HOME/Oracle_Client_Home.

Click Next to continue.



8.6.4 Verifying Oracle Entitlements Server Client InstallationTo verify that your Oracle Entitlements Server Client install was successful, go to your Oracle Home directory which you specified during installation and verify that the Oracle Entitlements Server Client installation files are created.

8.6.5 Applying a Patch Using OPatch After installing the Oracle Entitlements Server Client software, you must apply a patch to oracle_common directory using OPatch.

To apply a patch to oracle_common directory using OPatch, do the following:

1. Go to the OES_Client_Home/oneoffpatches directory.

2. Extract the contents of 13591235.zip file and go to the OES_Client_Home/oneoffpatches/13591235 directory.

4 Installation Summary The Installation Summary Page screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing OES Client Management, click Install.

5 Installation Progress If you are installing on a UNIX system, you may be asked to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.


8 Installation Complete Click Finish to dismiss the installer.

This installation process copies the OES Client software to your system and creates an OES_Client_Home directory under your Middleware Home. You must proceed to create a WebLogic Domain, by running the Oracle Fusion Middleware Configuration Wizard. In addition, you must configure the Administration Server settings while creating the domain.

Note: This patch is required only if you have installed the Oracle Entitlements Server Client software in a separate Middleware Home than the Oracle Entitlements Server Administration Server.

Skip this step if you are installing the Oracle Entitlements Server Client software into the same Middleware Home as the Oracle Entitlements Server Administration Server, because it has already been applied automatically.

This patch applies only to the following Security Module configurations:

■ WebLogic Server Security Module in a JRF environment

■ Web Service Security Module on Oracle WebLogic Server domain in a JRF environment

■ WebSphere Security Module in a JRF environment

■ Oracle Service Bus Security Module

Table 8–3 (Cont.) Installation Flow for the Oracle Entitlements Server Client


Configuring Oracle Entitlements Server Client


3. Follow the instructions provided in README.txt file located in the OES_Client_Home/oneoffpatches/13591235 directory.

8.7 Configuring Oracle Entitlements Server ClientOracle Entitlements Server Client distributes policies to individual Security Modules that protect applications and services. Policy data is distributed in a controlled manner or in a non-controlled manner. The distribution mode is defined in the jps-config.xml configuration file for each Security Module. The specified distribution mode is applicable for all Application Policy objects bound to that Security Module.

This section describes how to configure the following:

■ Configuring Security Modules in a Controlled Push Mode (Quick Configuration)

■ Configuring Distribution Modes

■ Configuring Security Modules

■ Locating Security Module Instances

■ Using the Java Security Module

■ Configuring the PDP Proxy Client

8.7.1 Configuring Security Modules in a Controlled Push Mode (Quick Configuration)These section describes how to configure the Security Module quickly using pre-existing smconfig.prp files.

■ Configuring Java Security Module in a Controlled Push Mode

■ Configuring RMI Security Module in a Controlled Push Mode

■ Configuring Web Service Security Module in a Controlled Push Mode

■ Configuring Oracle WebLogic Server Security Module in a Controlled Push Mode

8.7.1.1 Configuring Java Security Module in a Controlled Push ModeTo configure Java Security Module instance in a controlled distribution mode, do the following:

1. Open smconfig.java.controlled.prp file (located in, OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8–4.

2. Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh –smConfigId <SM_NAME> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp

3. When prompted, specify the following:

■ Oracle Entitlements Server user name (This is the Administration Server’s user name).

Note: Oracle recommends that you configure Oracle Entitlements Server Client in the controlled distribution mode.



■ Oracle Entitlements Server password (This is the Administration Server’s password)

■ New key store password for enrollment

8.7.1.2 Configuring RMI Security Module in a Controlled Push ModeTo configure RMI Security Module instance in a controlled distribution mode, then do the following:

1. Open smconfig.rmi.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8–4.


config.sh –smConfigId <SM_NAME> -RMIListeningPort <RMISM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.rmi.controlled.prp


■ Oracle Entitlements Server user name (This is the Administration Server’s user name)

■ Oracle Entitlements Server Password (This is the Administration Server’s password)

■ New key store password for enrollment

8.7.1.3 Configuring Web Service Security Module in a Controlled Push ModeTo configure Webservice Security Module instance in a controlled distribution mode, do the following:

1. Open smconfig.ws.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8–4.


config.sh –smConfigId <SM_NAME> -WSListeningPort <WSSM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp


■ Oracle Entitlements Server user name (This is the Administration Server’s user name)

■ Oracle Entitlements Server password (This is the Administration Server’s password)

■ Key store password for enrollment

8.7.1.4 Configuring Oracle WebLogic Server Security Module in a Controlled Push ModeTo configure Oracle WebLogic Server Security Module instance in a controlled distribution mode, do the following:



1. Open smconfig.wls.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8–4.

2. Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh –smConfigId <SM_NAME> -prpFileName $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.wls.controlled.prp –serverLocation <Location of Web Logic Server Home

3. Create a Oracle Entitlements Server Client domain, as described in Configuring OES Client Domain in a Non-JRF Environment or Configuring OES Client Domain in a JRF Environment.

8.7.2 Configuring Distribution ModesFor more information about distribution modes, see the section "Defining Distribution Modes" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.

The following sections explains how to configure distribution modes.

■ Configuring Controlled Distribution

■ Configuring Non-Controlled and Controlled Pull Distribution Mode

8.7.2.1 Configuring Controlled DistributionTo configure a controlled Distribution mode, open the smconfig.prp file (located in OES_CLIENT_HOME/oessm/bin/SMConfigTool) in a text editor, and edit the following parameters described in Table 8–4.

8.7.2.2 Configuring Non-Controlled and Controlled Pull Distribution ModeOpen the smconfig.prp file (located in OES_CLIENT_HOME/oessm/bin/SMConfigTool) in a text editor and edit the following parameters described in Table 8–5.

Table 8–4 smconfig.prp File Parameters (Controlled Distribution)


oracle.security.jps.runtime.pd.client.policyDistributionMode

Accept the default value controlled-push as the distribution mode.

oracle.security.jps.runtime.pd.client.RegistrationServerHost

Enter the address of the Oracle Entitlements Server Administration Server.

oracle.security.jps.runtime.pd.client.RegistrationServerPort

Enter the SSL port number of the Oracle Entitlements Server Administration Server. You can find the SSL port number from the WebLogic Administration console.

Table 8–5 smconfig.prp File Parameters Non- Controlled Distribution


oracle.security.jps.runtime.pd.client.policyDistributionMode

Enter non-controlled or controlled-pull as the distribution mode.



8.7.3 Configuring Security ModulesOracle Entitlements Server Client includes the following Security Modules:

■ Configuring WebLogic Server Security Module

■ Configuring Web Service Security Module

■ Configuring Web Service Security Module on Oracle WebLogic Server

■ Configuring Oracle Service Bus Security Module

■ Configuring IBM WebSphere Security Module

■ Configuring JBoss Security Module

■ Configuring the Apache Tomcat Security Module

■ Configuring Java Security Module

■ Configuring RMI Security Module

■ Configuring Microsoft .NET Security Module

■ Configuring Microsoft SharePoint Server (MOSS) Security Module

8.7.3.1 Configuring WebLogic Server Security ModuleThe WebLogic Security Module is a custom Java Security Module that includes both a Policy Decision Point and a Policy Enforcement Point. It can receive requests directly from the WebLogic Server without the need for explicit authorization API calls. It will only run on the WebLogic Server container.

To configure a WebLogic Server Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -onJRF -smType wls -smConfigId mySM_WLS -serverLocation MW_HOME/wlserver_10.3/

In non-controlled and controlled-pull distribution modes, when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 8–6 describes the parameters you specify on the command line.

oracle.security.jps.policystore.type

Specify the policy store type. For example, DB for Oracle Database, OID for Oracle Internet Directory, and Derby for Apache Derby.

jdbc.url Specify your database policy store JDBC URL.

ldap.url Specify your LDAP URL.

oracle.security.jps.farm.name

Specify your domain name. The default value is cn=oes_domain.

oracle.security.jps.ldap.root.name

Specify the root name of jps context. The default value is cn=jpsroot.

Note: If you are using a non-JRF environment, do not specify the -onJRF parameter.

Table 8–5 (Cont.) smconfig.prp File Parameters Non- Controlled Distribution




The Configuration Wizard is displayed. You can create an Oracle Entitlements Server Client domain in a JRF environment and a non-JRF environment. Depending on the option you select complete one of the following:

■ Configuring OES Client Domain in a Non-JRF Environment

■ Configuring OES Client Domain in a JRF Environment

Configuring OES Client Domain in a Non-JRF EnvironmentTo create the Oracle Entitlements Server Client domain without JRF, complete the following steps:

1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.




Select the Oracle Entitlements Server WebLogic Security Module - 11.1.1.0 [oesclient] option. Click Next.





Table 8–6 Oracle WebLogic Server Security Module Parameters


smType Type of security module instance you want to create. It should be wls.

smConfigId Name of the security module instance. For example, mySM_WLS_Controlled.

serverLocation Location of the Oracle WebLogic Server.

Note: Non-controlled mode is the default distribution mode for Oracle WebLogic Server Security Module in a JRF environment.

Controlled-push mode is the default distribution mode for Oracle WebLogic Server Security Module in a non-JRF environment.

Controlled-push mode is not supported for Oracle WebLogic Server Security Module in a JRF enabled domain.

Note: Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.





The Select Optional Configuration screen is displayed.



■ Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

■ Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

■ Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.

■ SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

■ SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.




Note: Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.

Note: After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.



In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

■ Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

■ Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

■ Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.


■ SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.









Configuring OES Client Domain in a JRF EnvironmentTo create the OES Client domain with JRF, complete the following steps:








Select the Oracle Entitlements Server WebLogic Security Module On JRF - 11.1.1.0 [oesclient] option. Click Next.





















After configuring OES Client domain in a JRF environment, you must set up a connection to Oracle Database.

Setting Up Connection to Oracle DatabaseFor setting up connection to Oracle Database, complete the following steps:

1. Create a JDBC Data Source using the WebLogic Server Administration Console. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

2. Open the jps-config.xml file located in <OES_DOMAIN_HOME>/config/oeswlssmconfig directory (on UNIX), or <OES_DOMAIN_HOME>\config\oeswlssmconfig directory (on Windows).

3. Locate pdp.service and replace the existing jdbc.url property with the following property:

<property value="jdbc/APMDBDS" name="datasource.jndi.name"/>

4. Delete the following properties:

■ jdbc.driver

■ jdbc.url

■ bootstrap.security.principal.key

■ bootstrap.security.principal.map


8.7.3.2 Configuring Web Service Security ModuleTo create a Web Service Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType ws -smConfigId mySM_Ws -serverPort 9410

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.


Note: jdbc/APMDBDS is the name of the JDBC datasource used for the OES.



This command also creates client configuration for Webservice Security Module Instance.

8.7.3.3 Configuring Web Service Security Module on Oracle WebLogic ServerTo create a Web Service Security Module instance on Oracle WebLogic Server, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -onJRF -smType ws -onWLS -smConfigId mySM_WsOnWLS -serverLocation <WebLogic_server_Home> -serverPort <WebLogic_server_port> -pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -serverUserName <username> -serverPassword <password>


In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.


Table 8–7 Web Service Security Module Parameter

Parameters Description

smType Type of security module instance you want to create. For Web Service security module, the value for this parameter should be ws.

smConfigId Name of the security module instance. For example, mySM_ws.

serverPort The web service listening port. For example, 9410.

Note: Controlled-push distribution is the default distribution mode for Web Service Security Module.

Note: If you are using a non-JRF environment, do not specify the -onJRF parameter.

Table 8–8 Parameters for Web Service Security Module on Oracle WebLogic Server


smType Type of security module instance you want to create. For Web Service security module, the value for this parameter should be ws.

smConfigId Name of the security module instance. For example, mySM_ws_Controlled.

pdServer The address of the Oracle Entitlements Server Administration Server.

pdPort The SSL port of the Oracle Entitlements Server Administration Server. For example, 7002.

serverLocation Location of the Oracle WebLogic Server.



This command also creates client configuration for Webservice Security Module Instance on Oracle WebLogic Server.

The Configuration Wizard is displayed. You can create an OES Client domain with Web Service on Oracle WebLogic Server in a JRF environment and Web Service on Oracle WebLogic Server in a non-JRF environment. Depending on the option you select complete one of the following:

■ Configuring Web Service on Oracle WebLogic Server Domain in a Non-JRF Environment

■ Configuring Web Service on Oracle WebLogic Server Domain in a JRF Environment

Configuring Web Service on Oracle WebLogic Server Domain in a Non-JRF EnvironmentTo create a Web Service on Oracle WebLogic Server domain in a Non-JRF environment, complete the following steps:





Select the Oracle Entitlements Server Web Service Security Module on Weblogic- 11.1.1.0 [oesclient] option. Click Next.

serverPort Specify the Oracle WebLogic Administration Server port.

serverUserName Specify the Oracle WebLogic Server Administration username. For example: weblogic

serverPassword Specify the Oracle WebLogic Server Administration password.

Note: Controlled-push distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a non-JRF environment.

Non-controlled distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a JRF environment.


Table 8–8 (Cont.) Parameters for Web Service Security Module on Oracle WebLogic




Configuring Web Service on Oracle WebLogic Server Domain in a JRF EnvironmentTo create the Web Service on Oracle WebLogic Server domain in a JRF environment, complete the following steps:





Select the Oracle Entitlements Server Web Service Security Module on Weblogic and JRF- 11.1.1.0 [oesclient] option. Click Next.






















After configuring Web Service on Oracle WebLogic Server domain in a JRF environment, you must set up a connection to Oracle Database.








■ jdbc.driver

■ jdbc.url




8.7.3.4 Configuring Oracle Service Bus Security ModuleTo create a Oracle Service Bus Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:





config.sh -onJRF -smType wls -smConfigId myosb_WLS -serverLocation <server_location>

The Configuration Wizard is displayed. You can create an OES Client domain with Oracle Service Bus environment as follows:





Select the Oracle Entitlements Server Security Module On Service Bus - 11.1.1.0 [OESCLIENT] option. Click Next.







Table 8–9 Oracle Service Bus Security Module Parameters


smType Type of security module instance you want to create. For example, jboss.

smConfigId Name of the security module instance. For example, mySM_WLS.

serverLocation The location of Oracle WebLogic Server.

Note: Non-controlled distribution is the default distribution mode for Oracle Service Bus Security Module.

















■ Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the






next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.











After configuring Oracle Service Bus Security Module in a JRF environment, you must set up a connection to Oracle Database.











■ jdbc.driver

■ jdbc.url




Configuring Authorization ProviderYou must configure an Authorization provider. For information about configuring an Authorization provider, see "Configure Authorization providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/ConfigureAuthorizationProviders.html

Configuring Role Mapping ProviderYou must configure a Role Mapping provider. For information about configuring a Role Mapping provider, see "Configure Role Mapping providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/ConfigureRoleMappingProviders.html

8.7.3.5 Configuring IBM WebSphere Security ModuleYou can configure WebSphere in a JRF environment, and WebSphere in a non-JRF environment. Depending on the option you select complete one of the following:

■ Configuring WebSphere Security Module in a Non-JRF Environment

■ Configuring WebSphere Security Module in a JRF Environment

8.7.3.5.1 Configuring WebSphere Security Module in a Non-JRF Environment

To configure WebSphere Security Module in a non-JRF environment, complete the following steps:

1. Create a new application server using the IBM WebSphere console and name it OesServer.

2. Start the Oracle Entitlements Server (OesServer) you created for IBM WebSphere.

3. Open the smconfig.prp file in a text editor and specify the pd client port and the pd app client context. The pd client port number is the SSL port number of the IBM WebSphere application server and pd app client contex is the location where the was-client.jar is deployed. For example:

oracle.security.jps.pd.was.client.appcontext=pd-clientoracle.security.jps.pd.clientPort=8002




4. Run the config.sh command as follows:

$OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -serverLocation WAS_HOME

WAS_HOME is the location of the IBM WebSphere Application Server.

For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.

In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.


5. Configure SSL for the IBM WebSphere application server as follows:

a. Import the Oracle WebLogic Server demo trust certificate into IBM WebSphere node default trust keystore and cell default trust keystore by using keytool to export WLS demo trust certificate from WLS demo trust keystore file, or OES trust.jks file into a .der, as shown in the following example:

keytool -exportcert -keystore $OES_CLIENT_HOME/oessm/enroll/DemoTrust.jks -alias wlscertgencab -file ~/was.der

b. Import the was.der file into WAS node default trust keystore and cell default trust keystore. as follows:

– You may find the import in IBM WebSphere Administration Server console:

security->SSL certificate and key management -> Key stores and certifi-cates -> <NodeDefaultTrustStore> <CellDefaultTrustStore> (here you need to choose one name) -> Signer certificates.

– Click Add.

– Enter an alias. For example, WLS.

– Choose the .der file that you exported earlier, and select data type as DER.

Table 8–10 IBM WebSphere Security Module Parameter


smType Type of security module instance you want to create. For example, was.

smConfigId Name of the security module instance. For example, mySM_WAS.

serverLocation

Location of the IBM WebSphere Server.

Note: Controlled-push distribution is the default distribution mode for IBM WebSphere Security Module a non-JRF environment.



c. Import the issued private key into the IBM WebSphere node default keystore as follows:

– You may find the import in IBM WebSphere Administration Server console:

security->SSL certificate and key management -> Key stores and certifi-cates -> NodeDefaultKeyStore -> Personal certificates.

– Click Import.

– Select Keystore and enter the path to the keystore file (located in OES_CLIENT_HOME/oes_sm_instances/mySM_WAS/security/identity.jks)

– Select JKS as type and enter the password you used to create the keystore file.

– The certificate alias name is the same name as the hostname.

d. Enable Inbound SSL for the server running IBM WebSphere Security Module as follows:

– In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.

– Expand inbound tree to get:Inbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.

– In the General Properties page, select Override inherited values.

– From the SSL configuration list, select NodeDefaultSSLSettings.

– Click Update certificate alias list button and then choose the new imported private key alias in the Certificate alias in key store list.

– Click Apply.

e. Enable Out bound SSL for the server running IBM WebSphere Security Module, follows:

– In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.

– Expand inbound tree to get:Outbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.

– In the General Properties page, select Override inherited values.

– From the SSL configuration list, select NodeDefaultSSLSettings.

– Click Update certificate alias list and choose the new imported private key alias in the Certificate alias in key store list.

Note: You must import demo trust certificate into two trust stores for the WAS ND edition. For the private key, you must import one keystore.



– Click Apply.

8.7.3.5.2 Configuring WebSphere Security Module in a JRF Environment

To configure WebSphere Security Module in a JRF environment, complete the following steps:

1. Configure IBM WebSphere Application Server, as described in Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server available at the following link:

http://docs.oracle.com/cd/E21764_01/web.1111/e17764/toc.htm

2. Run the config.sh command as follows:

$OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -onJRF -conntype SOAP -host <websphere_host> -port <websphere_port> -user <username> -password <password> -serverLocation WAS_HOME

WAS_HOME is the location of the IBM WebSphere Application Server.

For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.

In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.


Note: In the Add Products to Cell screen, ensure that you select Oracle JRF for WebSphere - 11.1.1.0 [oracle_common]

Table 8–11 IBM WebSphere Security Module Parameter


smType Type of security module instance you want to create. For example, was.

smConfigId Name of the security module instance. For example, mySM_WAS.

serverLocation

Location of the IBM WebSphere Server.

host Specify the WebSphere host name.

port Specify the WebSphere Node Manager port. For example: 8882

user Specify the WebSphere username. For example: websphere

password Specify the WebSphere password.

Note: Non-controlled distribution is the default distribution mode for IBM WebSphere Security Module in a JRF environment.



After configuring WebSphere Security Module in a JRF environment, you must set up a connection to Oracle Database.








■ jdbc.driver

■ jdbc.url




8.7.3.6 Configuring JBoss Security ModuleTo create a JBoss Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType jboss -smConfigId mySM_JBOSS -serverLocation <middleware>/jbosslocation/


Table 8–12 JBoss Security Module Parameters


smType Type of security module instance you want to create. For example, jboss.

smConfigId Name of the security module instance. For example, mySM_WLS.

serverLocation The location of JBoss Application Server.



8.7.3.7 Configuring the Apache Tomcat Security ModuleTo create a Apache Tomcat Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType tomcat -smConfigId my_tomcat_sm_push pdServer <oes_server_address> -pdPort <oes_server_port> -sslPort <oes_server_ssl_port> -serverLocation <apache-tomcat Home> -jaxwsRIHome <jaxwsRI_Home> -serverUserName <username> -serverPassword <password>

Note: Controlled-push distribution is the default distribution mode for JBoss Security Module.

To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.

Table 8–13 Apache Tomcat Security Module Parameters


smType Type of security module instance you want to create. For example, tomcat.

smConfigId Name of the security module instance. For example, my_tomcat_sm_push.


pdPort The port number of the Oracle Entitlements Server Administration Server. For example, 7002.

sslPort The SSL port number of the Oracle Entitlements Server Administration Server. For example, 8449.

serverLocation The location of Apache Tomcat Server.

jaxwsRIHome The location of JAXWS-RI

Note: JAXWS support is required in controlled-push mode. Apache Tomcat does not have JAXWS support by default. You can download JAXWS-RI from the following location:

http://jax-ws.java.net/2.1.7/

serverUserName Specify the Oracle WebLogic Server Administration username. For example: weblogic

serverPassword Specify the Oracle WebLogic Server Administration password.



8.7.3.8 Configuring Java Security ModuleTo create a Java Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType java -smConfigId mySM_Java

In controlled push mode, you will be prompted for the Oracle Entitlements Server Administration Server username, password, and a new key store password for enrollment.

In non-controlled and controlled pull modes, you will be prompted for Oracle Entitlements Server schema username, and Password.


The Java Security Module Instance is created at OES_CLIENT_HOME/oes_sm_instances/mySM_java. If you use the default values described in Table 8–14.

8.7.3.9 Configuring RMI Security ModuleTo configure a RMI Security Module Instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType rmi -smConfigId mySM_Rmi -serverPort 9405

Note: Controlled-push distribution is the default distribution mode for Apache Tomcat Security Module.

To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.

Note: If you are using Java Security Module in the proxy mode with Web Service Security Module or RMI Security Module, then you must use oes-ws-client.jar or oes-rmi-client.jar and ensure that you do not use oes-client.jar.

Table 8–14 JSE Security Module Parameters


smType Type of security module instance you want to create. For example, java.

smConfigId Name of the security module instance. For example, mySM_java.

Note: Controlled-push distribution is the default distribution mode for JSE Security Module.




In non-controlled and controlled-pull distribution modes when prompter specify the Oracle Entitlements Server schema username and password.


This command also creates client configuration for the RMI Security Module Instance.

8.7.3.10 Configuring Microsoft .NET Security ModuleThis section includes the following topics:

■ Prerequisites for Configuring .NET Security Module

■ Microsoft .NET Configuration Scenarios

8.7.3.10.1 Prerequisites for Configuring .NET Security Module

Before configuring .NET Security Module, you must complete the following steps:

Open the dotnetsm_config.properties file (located in <MW_Home>\as_1\oessm\dotnetsm\configtool) and update the following information:

■ application.config.file: Specify the path of the configuration file based on the type of .Net application. For example: app.config or web.config

■ application.log4NetXmlfile: Specify the location of log4net.xml configuration file. If you do not have an existing logging configuration file specify the default location (OES_CLIENT_HOME/oessm/dotnetsm/logging/log4Net.xml).

■ wssm.smurl: Specify the OES webservice uri exposed through the WSSM in the following format:

http://<host>:<port>/Ssmws

■ gac.utility: Specify the Microsoft .NET Framework Global Assembly Cache Utility Location. You can define the following operations:

config: If you select this option, then SMconfig tool registers OES-PEP.dll and log4NET.dll in GAC Utility.

remove: If you select this option, then SMconfig tool removes the DLL from the GAC util and removes the configuration parameters from application.config.file.

Table 8–15 RMI Security Module Parameters


smType The type of security module instance you want to create. For example, rmi.

smConfigId The name of the security module instance. For example, mySM_rmi.

serverPort The RMI listening port. For example, 9405.

Note: Controlled-push distribution is the default distribution mode for RMI Security Module.



8.7.3.10.2 Microsoft .NET Configuration Scenarios

You can configure .NET Security Module in the following scenarios:

■ Scenario 1: .NET and Web Service on a Single Machine

■ Scenario 2: .NET and Web Service on Different Machines

Scenario 1: .NET and Web Service on a Single MachineIf .NET and Web Service are installed on a single machine, the following configurations are possible:

■ Configuring .NET Security Module and Web Service Security Module

■ Configuring .NET Security Module

Configuring .NET Security Module and Web Service Security ModulePerform the configuration in this scenario if .NET and Web Service are installed on a single machine, and you want to configure .NET Security Module and Web Service Security Module.

Run the config.cmd located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType dotnetws -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config> -smConfigId myDotnet –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410


This command also creates client configuration for the .NET Security Module Instance.

Configuring .NET Security ModulePerform the configuration in this scenario if .NET and Web Service are installed on a single machine, and Web Service Security Module is already configured.

Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Table 8–16 .NET Security Module Parameters


smType The type of security module instance you want to create. For example, dotnetws.

smConfigId The name of the security module instance. For example, myDotnet.

prpFileName Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

dotnetprpFileName

Specify the path to the dotnetsm_config.properties file located in <OES_Client_Home>\oessm\dotnetsm\configtool.



WSListeningPort The web service listening port. For example, 9410.



Run the config.cmd (located in OES_CLIENT_HOME\oessm\bin) for Windows as follows:

config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>



Scenario 2: .NET and Web Service on Different MachinesPerform the configuration in this scenario if .NET and Web Service are installed on different machines.

Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd (located in OES_CLIENT_HOME\oessm\bin) for Windows as follows:

config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>



8.7.3.11 Configuring Microsoft SharePoint Server (MOSS) Security ModuleThis section includes the following topics:



smType The type of security module instance you want to create. For example, dotnet.



dotnetprpFileName




smType The type of security module instance you want to create. For example, dotnet.



dotnetprpFileName




■ Prerequisites for Configuring MOSS Security Module

■ MOSS Configuration Scenarios

■ Running Resource Discovery Tool

■ Migrating Resource Policies

8.7.3.11.1 Prerequisites for Configuring MOSS Security Module

Before configuring a MOSS Security Module instance, you must ensure the following:

■ Microsoft SharePoint Server (MOSS) is installed on your machine.

■ The MOSS Web Application, associated with site collections and other resources to be protected by OES MOSS Security Module has been created.

8.7.3.11.2 MOSS Configuration Scenarios

You can configure MOSS Security Module in the following scenarios:

■ Scenario 1: MOSS and Web Service on a Single Machine

■ Scenario 2: MOSS and Web Service on Different Machines

Scenario 1: MOSS and Web Service on a Single MachineIf MOSS and Web Service are installed on a single machine, the following configurations are possible:

■ Configuring MOSS Security Module and Web Service Security Module

■ Configuring MOSS Security Module

Configuring MOSS Security Module and Web Service Security ModulePerform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and you want to configure MOSS Security Module and Web Service Security Module.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType mossws –prpFileName <ws_config> –mossprpFileName <moss_config> -smConfigId myMoss –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410


Table 8–19 MOSS Security Module Parameters


smType The type of security module instance you want to create. For example, mossws.

smConfigId The name of the security module instance. For example, myMoss.


mossprpFileName Specify the path to the moss_config.properties file located in <OES_Client_Home>\oessm\mosssm\adm\configtool.




This command also creates client configuration for the MOSS Security Module Instance.

Configuring MOSS Security ModulePerform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and Web Service Security Module is already configured.

Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.


config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>



Scenario 2: MOSS and Web Service on Different MachinesPerform the configuration in this scenario if MOSS and Web Service are installed on different machines.

Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.


config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>



WSListeningPort The web service listening port. For example, 9410.



smType The type of security module instance you want to create. For example, moss.




Table 8–19 (Cont.) MOSS Security Module Parameters





8.7.3.11.3 Running Resource Discovery Tool

You must run the Resource Discovery tool to locate the MOSS resources.

Run the MOSSResourceDiscovery.exe file, located in <OES_CLIENT_HOME/oessm/mosssm/lib directory (on Windows). You will be prompted for the following parameters:

■ Enter the folder path where you want to create OES policy file - Specify the path of the folder where the resource files will be created. Note that the directory used for storing the exported resources must be created beforehand.

■ Enter Path where Admin Url file is located - Specify the path to <OES_CLIENT_HOME/oessm/mosssm/adm/discovery/AdmUrls.txt file. This file is used to extract the admin URLs.

■ Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01 - Specify the URL of the top level MOSS sites to be protected by OES.

■ Enter Application Name of the MOSS application to be protected by OES e.g. MossApp - Specify the name of the MOSS application to be protected by OES.

■ Enter Resource Type of all the MOSS resources e.g. MossResourceType - Specify the resource type of all the MOSS resources to be protected by OES.

Following is a sample execution of MOSSResourceDiscovery.exe file:

C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\lib>MOSSResourceDiscovery.exe---------------------------------------------------------- Welcome to the MOSS Resource Discovery----------------------------------------------------------



smType The type of security module instance you want to create. For example, moss.




Note: Ensure that the MOSS application name that you provide is same as the value defined for moss.app.name parameter in moss_config.properties file.

Note: Ensure that the MOSS resource type that you provide is same as the value defined for moss.resource.type parameter in moss_config.properties file.



Enter the folder path where you want to create OES policy file c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy Enter Path where Admin Url file is located C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\adm\Discovery\AdmUrls.txt Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01 http://alesw2k8:9581 Enter Application Name of the MOSS application to be protected by OES e.g. MossApp MossApp Enter Resource Type of all the MOSS resources e.g. MossResourceType MossResourceType Resource Discovery starts....SpSitePath is http://alesw2k8:9581

8.7.3.11.4 Migrating Resource Policies

To migrate the MOSS resource policies to OES policy store, complete the following steps:

1. Go to OES_CLIENT_HOME/oessm/bin directory (on Windows), or OES_CLIENT_HOME\oessm\bin directory (on UNIX)

2. Run the manage-policy.cmd file (on Windows), or manage-policy.sh file (on UNIX)

Following is a sample execution of manage-policy.cmd file:

C:\Oracle\Middleware\Oracle_OESClient\oessm\bin>manage-policy.cmd

Please input the application name for the protected MOSS application e.g MossApp:MossApp

Input the resource type for the MOSS resources e.g MossResourceType:MossResourceType

Input the Moss resource file:c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy\object

Creating resource: /_layouts

8.7.4 Locating Security Module InstancesThe Oracle Entitlements Server security module instances are created in the OES_CLIENT_HOME/oes_sm_instances. directory.

For Oracle WebLogic Server security module, the domain configuration is located in DOMAIN_HOME/config/oeswlssmconfig.

You can create, delete, or modify the security module instances, as required.

Getting Started with Oracle Entitlements Server After Installation


8.7.5 Using the Java Security ModuleAfter configuring Java Security Module for your program, you must start the Java Security module for your program by completing the following:

1. Set a new Java System Property -Doracle.security.jps.config and specify the location of the jps-config.xml file (located in OES_CLIENT_HOME/oes_sm_instances/<SM_NAME>/config) as the value.

2. Enter oes-client.jar (located in OES_CLIENT_HOME/modules/oracle.oes_sm.1.1.1) into the classpath of the program.

8.7.6 Configuring the PDP Proxy ClientYou can configure a PDP Proxy Client for your web service Security Module or RMI Security Module, as described in Table 8–22:

You must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as shown in the following example:

For Java Security Module:

OES_CLIENT_HOME/oessm/bin/config.sh -smType <SM_TYPE> -smConfigId <SM_NAME>

The SM_TYPE can be java, wls, or was. and for SM_NAME enter an appropriate name.

8.8 Getting Started with Oracle Entitlements Server After InstallationAfter installing Oracle Entitlements Server, refer to the following documents:

■ Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

■ Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server

Table 8–22 PDP Proxy Client Security Module Parameters


oracle.security.jps.pdp.isProxy

Specify true as the value.

oracle.security.jps.pdp.PDPTransport

Specify Web Service (WS) or (RMI).

oracle.security.jps.pdp.proxy.PDPAddress

Specify http://hostname:port (WS) or rmi://hostname:port (RMI).

9

Configuring Oracle Privileged Account Manager 9-1

9Configuring Oracle Privileged AccountManager

This chapter explains how to configure Oracle Privileged Account Manager. It includes the following topics:

■ Overview


■ Installation and Configuration Roadmap for Oracle Privileged Account Manager

■ Configuring Oracle Privileged Account Manager and Oracle Identity Navigator in a New WebLogic Domain

■ Starting the Oracle WebLogic Administration Server

■ Post-Installation Tasks

■ Starting the Managed Server

■ Verifying Oracle Privileged Account Manager

■ Getting Started with Oracle Privileged Account Manager After Installation

9.1 OverviewFor an introduction to the Oracle Privileged Account Manager, see "Understanding Oracle Privileged Account Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.


9.3 Installation and Configuration Roadmap for Oracle Privileged Account Manager

Table 9–1 lists the tasks for installing and configuring Oracle Privileged Account Manager.

Installation and Configuration Roadmap for Oracle Privileged Account Manager


Table 9–1 Installation and Configuration Flow for Oracle Privileged Account Manager
















Oracle Privileged Account Manager is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.



For more information, see Section 9.4, "Configuring Oracle Privileged Account Manager and Oracle Identity Navigator in a New WebLogic Domain".



■ Section 9.5, "Starting the Oracle WebLogic Administration Server"

■ Section 9.6, "Post-Installation Tasks"

■ Section 9.7, "Starting the Managed Server"

■ Section 9.8, "Assigning the Application Configurator Role to a User"

■ Section 9.9, "Verifying Oracle Privileged Account Manager"

■ Section 9.10, "Getting Started with Oracle Privileged Account Manager After Installation"

Configuring Oracle Privileged Account Manager and Oracle Identity Navigator in a New WebLogic Domain


9.4 Configuring Oracle Privileged Account Manager and Oracle Identity Navigator in a New WebLogic Domain

This topic describes how to configure Oracle Privileged Account Manager and Oracle Identity Navigator in a new WebLogic administration domain. It includes the following sections:



■ Dependencies

■ Procedure

9.4.1 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to configure Oracle Privileged Account Manager with Oracle Identity Navigator in a new WebLogic domain and then run the Oracle Identity Navigator discovery feature. This feature populates links to the product consoles for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager. You can then access those product consoles from within the Oracle Identity Navigator interface, without having to remember the individual console URLs.

9.4.2 Components DeployedPerforming the configuration in this section deploys the Oracle Privileged Account Manager and Oracle Identity Navigator applications on a new WebLogic Administration Server.




■ Database schemas for Oracle Privileged Account Manager. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

9.4.4 ProcedurePerform the following steps to configure Oracle Privileged Account Manager and Oracle Identity Navigator in a new WebLogic administration domain:



Configuring Oracle Privileged Account Manager and Oracle Identity Navigator in a New WebLogic Domain



3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Privileged Account Manager - 11.1.2.0.0 [IAM_Home].





7. On the Configure JDBC Component Schema screen, select a component schema, such as the OPAM Schema or the OPSS Schema, that you want to modify.




■ Name

■ Listen address

■ Listen port

■ SSL listen port



Note: IAM_Home is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Identity Navigator.

Note: When you select the Oracle Privileged Account Manager - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:

■ Oracle Identity Navigator - 11.1.2.0.0 [IAM_Home]



Post-Installation Tasks










A new WebLogic domain to support Oracle Privileged Account Manager and Oracle Identity Navigator is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

9.5 Starting the Oracle WebLogic Administration ServerAfter installing and configuring Oracle Privileged Account Manager, you must start the Oracle WebLogic Administration Server, as described in Appendix C.1, "Starting the Stack".

9.6 Post-Installation TasksAfter installing and configuring Oracle Privileged Account Manager, you must run the opam-config.sh script (on UNIX), or opam-config.bat script (on Windows).

■ Before executing the script, ensure that the WebLogic Administration Server is running. For more information on starting the Oracle WebLogic Administration Server, see Appendix C.1, "Starting the Stack".


Note: After configuring Oracle Privileged Account Manager in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

Note: If you are extending a domain, ensure that the WebLogic Administration Server is restarted before running the opam-config.sh script (on UNIX), or opam-config.bat script (on Windows).

Starting the Managed Server


■ Set up ANT_HOME, ORACLE_HOME, JAVA_HOME and the permgen size.

For example:

On Windows:

set ORACLE_HOME= ##set Oracle_Home here##set ANT_HOME=MW_HOME\modules\org.apache.ant_1.7.0set JAVA_HOME=MW_HOME\jdk160_14_R27.6.4-18set ANT_OPTS=-Xmx512M -XX:MaxPermSize=512m

On UNIX:

setenv ORACLE_HOME ##set Oracle_Home here##setenv ANT_HOME $MW_HOME/modules/org.apache.ant_1.7.0setenv JAVA_HOME $MW_HOME/jdk160_14_R27.6.5-32setenv ANT_OPTS "-Xmx512M -XX:MaxPermSize=512m"

■ Go to <IAM_Home>/opam/bin directory and run the opam-config.sh script (on UNIX), or opam-config.bat script (on Windows). Provide the following information, when prompted:

■ Oracle WebLogic Administration username

■ Oracle WebLogic Administration password

■ Oracle WebLogic Administration Server URL

■ Oracle WebLogic Domain Name

■ Oracle Middleware Home

■ The log file for opam-config script will be available in <IAM_HOME>/opam/config/opam-config.log.

9.7 Starting the Managed ServerYou must start the Oracle Privileged Account Manager Managed Server, as described in Appendix C.1, "Starting the Stack".

9.8 Assigning the Application Configurator Role to a UserAfter you complete the installation process, you do not have any users with administrator roles. You must select a user and grant that user the Application Configurator role by using Oracle Identity Navigator.

Note: Oracle WebLogic Domain Name is case sensitive. You must provide the same value that you defined during domain creation.

Note: Oracle Middleware Home is case sensitive. You must provide the same value that you defined during domain creation.

Note: After running the opam-config.sh script (on UNIX), or opam-config.bat script (on Windows), you must restart the Oracle WebLogic Administration Server, as described in Appendix C.1, "Starting the Stack".

Getting Started with Oracle Privileged Account Manager After Installation


When the Application Configurator user logs in by using the URL mentioned below, the user will see an empty screen with a Configure OPAM link.

http://<adminserver-host>:<adminserver-port>/oinav/opam

The Application Configurator user can use this link to let the Oracle Privileged Account Manager Console know where Oracle Privileged Account Manager server is running by providing the Oracle Privileged Account Manager server's host and port. Oracle Privileged Account Manager server’s host and port are the values that you provided for the OPAM Managed Server during OPAM configuration.

When the Oracle Privileged Account Manager Console can successfully communicate with the Oracle Privileged Account Manager server, the Oracle Privileged Account Manager Console will be populated with content.

9.9 Verifying Oracle Privileged Account ManagerAfter completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Privileged Account Manager as follows:


2. Log in to the Administration Console for Oracle Privileged Account Manager using the URL: http://<adminserver-host>:<adminserver-port>/oinav/opam

When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.

3. Verify the Oracle WebLogic Server Administration Console. If the installation and configuration of Oracle Privileged Account Manager is successful, this console shows opam_server1 in the running mode, which is the default Managed Server.

9.10 Getting Started with Oracle Privileged Account Manager After Installation

After installing Oracle Privileged Account Manager, refer to the "Getting Started with Administering OPAM" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

Note: For more information, see "Assigning a Common Admin Role" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.

For information about the Administration Roles that the Application Configurator user can have, see "Administration Role Types" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

Getting Started with Oracle Privileged Account Manager After Installation


10

Configuring Oracle Access Management Mobile and Social 10-1

10Configuring Oracle Access ManagementMobile and Social

This chapter explains how to configure Oracle Access Management Mobile and Social. It includes the following topics:

■ Overview


■ Installation and Configuration Roadmap for Oracle Access Management Mobile and Social

■ Oracle Access Management Mobile and Social Configuration Scenarios

■ Verifying Oracle Access Management Mobile and Social

■ Getting Started with Oracle Access Management Mobile and Social After Installation

10.1 OverviewFor an introduction to the Oracle Access Management Mobile and Social, see the "Understanding Mobile and Social" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.


10.3 Installation and Configuration Roadmap for Oracle Access Management Mobile and Social

Table 10–1 lists the tasks for installing and configuring Oracle Access Management Mobile and Social.

Installation and Configuration Roadmap for Oracle Access Management Mobile and Social


Table 10–1 Installation and Configuration Flow for Oracle Access Management Mobile and Social











Note: If you are configuring Oracle Access Management Mobile and Social standalone, skip this step.






Oracle Access Management Mobile and Social is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.



This chapter describes the following configuration scenarios:

■ Section 10.4.1, "Oracle Access Management Mobile and Social with Oracle Access Manager 11gR2"

■ Section 10.4.2, "Oracle Access Management Mobile and Social Standalone in a New WebLogic Domain"


Note: If you are configuring Oracle Access Management Mobile and Social standalone, skip this step.

11 Start the servers. You must start the Administration Server and all Managed Servers. For more information, see Appendix C.1, "Starting the Stack".


■ Section 10.5, "Verifying Oracle Access Management Mobile and Social"

■ Section 10.6, "Getting Started with Oracle Access Management Mobile and Social After Installation"

Oracle Access Management Mobile and Social Configuration Scenarios


10.4 Oracle Access Management Mobile and Social Configuration Scenarios

The following lists the scenarios in which you can configure Oracle Access Management Mobile and Social:

■ Oracle Access Management Mobile and Social with Oracle Access Manager 11gR2

■ Oracle Access Management Mobile and Social Standalone in a New WebLogic Domain

10.4.1 Oracle Access Management Mobile and Social with Oracle Access Manager 11gR2

This topic describes how to configure Oracle Access Management Mobile and Social with Oracle Access Manager 11gR2. It includes the following sections:

■ Overview



■ Dependencies

■ Procedure

10.4.1.1 OverviewOracle Access Management Mobile and Social is packaged with Oracle Access Management. Oracle Access Management has many components, such as Oracle Access Manager, Oracle Access Management Security Token Service, Oracle Access Management Identity Federation, and Oracle Access Management Mobile and Social. In this scenario, only Oracle Access Manager is enabled as the authentication provider, by default. You can enable other services like Oracle Access Management Mobile and Social using the Oracle Access Management Administration Console, after the installation is complete.

10.4.1.2 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to use Oracle Access Manager 11gR2 as a service.

In this configuration, you can select other Oracle Identity and Access Management products like Oracle Adaptive Access Manager when you configure Oracle Access Management Mobile and Social.

10.4.1.3 Components DeployedPerforming the configuration in this section deploys the following Oracle Access Management components:





10.4.1.4 DependenciesThe configuration in this section depends on the following:





■ Database schemas for Oracle Access Management. For more information, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

10.4.1.5 ProcedurePerform the following steps to configure Oracle Access Management Mobile and Social and Oracle Access Manager in a new WebLogic administration domain:




3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Access Management - 11.1.2.0.0 [IAM_Home].

You may optionally select Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_Home] if you want to add Oracle Adaptive Access Manager to the same WebLogic Administration domain containing Oracle Access Management Mobile and Social.

Oracle highly recommends that you select Oracle Adaptive Access Manager for using device registration feature.


Note: When you select the Oracle Access Management - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:









7. On the Configure JDBC Component Schema screen, select a component schema, such as the OAM Infrastructure Schema or the OPSS Schema, that you want to modify.




■ Name

■ Listen address

■ Listen port

■ SSL listen port







Note: If you select the Oracle Adaptive Access Manager Admin Server - 11.1.2.0.0 [IAM_Home] option, the following options are also selected, by default:


■ Oracle Identity Navigator - 11.1.2.0.0 [IAM_Home]








A new WebLogic domain to support Oracle Access Management Mobile and Social with Oracle Access Manager is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

18. Start the Oracle WebLogic Administration Server, as described in Appendix C.1, "Starting the Stack".

19. Start all Managed Servers, as described in Appendix C.1, "Starting the Stack".

10.4.2 Oracle Access Management Mobile and Social Standalone in a New WebLogic Domain

This topic describes how to configure Oracle Access Management Mobile and Social standalone in a new WebLogic administration domain. It includes the following sections:

■ Overview



■ Dependencies

■ Procedure

10.4.2.1 OverviewOracle Access Management Mobile and Social is packaged with Oracle Access Management. In this option, only Oracle Access Management Mobile and Social is

Note: After configuring Oracle Access Management Mobile and Social with Oracle Access Management in a new WebLogic administration domain, you must configure the Database Security Store. For more information, see Section 3.2.9, "Configuring Database Security Store for an Oracle Identity and Access Management Domain".

Note: After you configure Oracle Access Management Mobile and Social with Oracle Access Management, only Oracle Access Manager is enabled as the authentication provider, by default. To enable other Oracle Access Management components, such as OSTS, OIF, and Oracle Access Management Mobile and Social, refer to "Enabling or Disabling Available Services" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.



enabled as a service, by default. All the other Oracle Access Management components are disabled.

10.4.2.2 Appropriate Deployment EnvironmentPerform the configuration in this topic if you want to use only Oracle Access Management Mobile and Social. This is a lightweight deployment option where you do not need to configure a Database. This configuration is suitable if you want to integrate Oracle Access Management Mobile and Social with identity products from other vendors.

This configuration is also suitable for using Oracle Access Management Mobile and Social with older releases of Oracle Access Manager such as Oracle Access Manager 10g or Oracle Access Manager 11gR1.

10.4.2.3 Components DeployedPerforming the configuration in this section deploys the following Oracle Access Management components:





10.4.2.4 DependenciesThe configuration in this section depends on the following:



10.4.2.5 ProcedurePerform the following steps to configure Oracle Access Management Mobile and Social standalone in a new WebLogic administration domain:








Select Oracle Access Management Mobile and Social only - 11.1.2.0.0 [IAM_Home].




6. Choose a JDK and Production Mode in the Configure Server Start Mode and JDK screen of the Oracle Fusion Middleware Configuration Wizard. Click Next.

The Select Optional Configuration screen appears.



■ Name

■ Listen address

■ Listen port

■ SSL listen port










Note: When you select the Oracle Access Management Mobile and Social only - 11.1.2.0.0 [IAM_Home] option, the Oracle JRF 11.1.1.0 [oracle_common] option is also selected, by default.


Getting Started with Oracle Access Management Mobile and Social After Installation



A new WebLogic domain to support Oracle Access Management Mobile and Social is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

17. After installing and configuring Oracle Access Management Mobile and Social, you must start the Oracle WebLogic Administration Server, as described in Appendix C.1, "Starting the Stack".

18. You must start all Managed Servers, as described in Appendix C.1, "Starting the Stack".

10.5 Verifying Oracle Access Management Mobile and SocialAfter completing the installation process, you can verify the installation and configuration of Oracle Access Management Mobile and Social as follows:


2. Log in to the Administration Console for Oracle Access Management using the URL: http://<adminserver-host>:<adminserver-port>/oamconsole

When you access this Administration Console running on the Administration Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.

3. From the Oracle Access Management console, go to System Configuration tab>Common Configuration section>Available Services node.

If you have configured Oracle Access Management Mobile and Social with Oracle Access Management, you must enable the Status of Mobile and Social and ensure that the Status of Mobile and Social has a green check mark.

If you have configured Oracle Access Management Mobile and Social standalone, ensure that the Status of Mobile and Social has a green check mark.

10.6 Getting Started with Oracle Access Management Mobile and Social After Installation

After installing Oracle Access Management Mobile and Social, refer to the "Mobile and Social System Configuration and Administration" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Note: When you configure Oracle Access Management Mobile and Social standalone, Oracle Access Management Mobile and Social provides pre-configured Service Providers. To create a new (custom) Service Provider, refer to "Editing or Creating Service Providers" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Getting Started with Oracle Access Management Mobile and Social After Installation


11

Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager 11-1

11 Migrating from Domain Agent to OracleHTTP Server 10g Webgate for Oracle Access

Manager

This chapter describes how to migrate from the Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager to protect applications by using the same policy domain used by the Domain Agent. By default, applications deployed in an Oracle Identity and Access Management domain are protected by the Domain Agent.

This chapter discusses the following topics:

■ Installing and Configuring Oracle HTTP Server 11g (11.1.1.5.0)

■ Provisioning Oracle HTTP Server 10g Webgate for Oracle Access Manager Profile

■ Installing Oracle HTTP Server 10g Webgate for Oracle Access Manager

■ Configuring mod_weblogic

■ Optional: Configuring Host Identifier

■ Updating Oracle Identity Manager Server Configuration

■ Optional: Disabling Domain Agent

■ Optional: Updating Oracle Identity Manager Configuration

11.1 Installing and Configuring Oracle HTTP Server 11g (11.1.1.5.0) If you do not have an existing Oracle HTTP Server 11g (11.1.1.5.0) installation, you can install Oracle HTTP Server 11.1.1.2.0 and patch it to the latest version 11.1.1.5.0.

Oracle HTTP Server 11.1.1.2.0 is included in the Oracle Web Tier 11g Installer, you must download the Oracle Web Tier 11g (11.1.1.2.0) Installer from the Oracle Technology Network (OTN):

http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

Note: Read this chapter only if you want to use Oracle HTTP Server 10g Webgate for Oracle Access Manager after setting up integration between Oracle Identity Manager and Oracle Access Manager, as described in the chapter "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

Provisioning Oracle HTTP Server 10g Webgate for Oracle Access Manager Profile


Alternatively, you can download the latest Oracle Fusion Middleware 11g software from the following website:

http://edelivery.oracle.com/

11.2 Provisioning Oracle HTTP Server 10g Webgate for Oracle Access Manager Profile

For information about provisioning a profile for Oracle HTTP Server 10g Webgate for use with Oracle Access Manager 11g server, see the "Provisioning a 10g WebGate for Use with OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

11.3 Installing Oracle HTTP Server 10g Webgate for Oracle Access Manager

For information about installing Oracle HTTP Server 10g Webgate for Oracle Access Manager, see the "Locating and Installing the Latest OAM 10g WebGate for OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

11.4 Configuring mod_weblogicAfter installing Oracle HTTP Server 10g Webgate for Oracle Access Manager, you must configure the Web server to forward requests to the applications deployed on the WebLogic Server.

■ Open the mod_wl_ohs.conf, which is located in <OHS_Instance_Home>/config/OHS/<Instance_Name>, in a text editor and add appropriate entries, as in the following example:

<IfModule weblogic_module><Location /oamconsole>SetHandler weblogic-handlerWebLogicHost examplehost.exampledomain.comWebLogicPort 6162</Location><Location /apmconsole>SetHandler weblogic-handler

Note: For information about installing and configuring Oracle HTTP Server 11g (11.1.1.2.0), see the "Installing Oracle Web Tier" topic in the Oracle Fusion Middleware Installation Guide for Oracle Web Tier. For information about patching Oracle HTTP Server 11.1.1.2.0 to 11.1.1.5.0 using the Patch Set Installer, see the "Applying the Latest Oracle Fusion Middleware Patch Set" topic in the Oracle Fusion Middleware Patching Guide.

After you install and configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.

Note: Ensure that the hostIdentifier parameter is set to IDMDomain and the autoCreatePolicy parameter is set to false when you are provisioning Oracle HTTP Server 10g Webgate to replace Domain Agent for OAM-OIM integration.

Optional: Configuring Host Identifier


WebLogicHost examplehost.exampledomain.comWebLogicPort 6162</Location>

</IfModule>

Add similar Location entries for all the URIs for all the applications that were previously accessed directly on WebLogic Server.

■ After making the changes, restart Oracle HTTP Server. You can use the OPMN command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:

<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl stopall

To restart the Oracle HTTP Server instance, run the following commands on the command line:

1. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl start

2. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl startproc ias-component=<Oracle_HTTP_Server_Instance_Name>

Enabling WebLogic Plug-inYou must set the WebLogic plug-in at the domain level. To do this perform the following steps:

1. Log in to the Oracle WebLogic Server Administration Console at:

http://hostname:port/console

2. Click Lock and Edit.

3. Click IDMDomain In the Domain Structure Menu.

4. Click the Configuration tab.

5. Click the Web Applications sub tab.

6. Select WebLogic Plug-in Enabled.

7. Click Save and Activate the Changes.

8. Restart the WebLogic Administration Server and the Managed Servers, as described in Section C.1, "Starting the Stack".

11.5 Optional: Configuring Host IdentifierThis task is required only if you have set up integration between Oracle Identity Manager and Oracle Access Manager.

To configure host identifiers for auto-login functionality, complete the following steps:

1. Launch the Oracle Access Manager Administration Console (http://<oamserverhost>:<adminport>/oamconsole).

2. Click the Policy Configuration tab.

3. On the left navigation pane, click Host Identifiers > IDMDomain. The Host Identifier page is displayed.

4. In the Operations section on the Host Identifier page, all the host name and port number combinations are listed. Verify whether the section includes the host

Updating Oracle Identity Manager Server Configuration


name and port number of the web server on which the Oracle HTTP Server 10g Webgate is configured.

If it is not listed, add an entry as follows:

a. On the Operation section, click the + icon. A new blank row is added to the Operations section.

b. In the Host Name field, enter the host name of the web server on which the Oracle HTTP Server 10g Webgate is configured.

c. In the Port field, enter the port number.

d. Click Apply.

11.6 Updating Oracle Identity Manager Server ConfigurationUpdate the Oracle Identity Manager (OIM) configuration in the oam-config.xml file (located in the <DOMAIN_HOME>/config/fmwconfig directory) to ensure that the Host and Port attributes of the IdentityManagement element in the file point to the Oracle HTTP Server on which the Oracle HTTP Server Webgate 10g is configured:

1. Open the oam-config.xml file in a text editor.

2. Update the entries as follows:

<Setting Name="IdentityManagement" Type="htf:map"><Setting Name="ServerConfiguration" Type="htf:map"><Setting Name="OIM-SERVER-1" Type="htf:map"><Setting Name="Host" Type="xsd:string">OHS-HOST</Setting><Setting Name="Port" Type="xsd:integer">OHS-PORT</Setting><Setting Name="SecureMode" Type="xsd:boolean">false</Setting></Setting>

</Setting>

After updating OIM Server configuration, you must perform logout configuration as follows:

1. Copy the logout.html file from the <IAM_ORACLE_HOME>/oam/server/oamsso directory to the <10gWebgateInstallation>/access/oamsso directory.

2. Edit the SERVER_LOGOUTURL variable in the logout.html file to point to the host and port of the Oracle Access Manager Server. Follow the instructions in the logout.html file.

3. If the http.conf file of the web server includes the following entries, remove the entries from the http.conf file:

<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>

Note: Ensure that you have set up integration between Oracle Identity Manager and Oracle Access Manager, as described in the topic "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

Optional: Updating Oracle Identity Manager Configuration


11.7 Optional: Disabling Domain AgentDomain Agent, which runs on the Administration Server and all Managed Servers in the Oracle Identity and Access Management domain, automatically detects the existence of a Webgate in the request flow. You do not need to disable the Domain Agent. However, if you want to disable the out-of-the-box Domain Agent, you can complete the following steps:

1. From your present working directory, move to the <MW_HOME>/user_projects/domains/<name_of_your_WebLogic_domain> directory (On UNIX). On Windows, move to the <MW_HOME>\user_projects\domains\<name_of_your_WebLogic_domain> directory.

2. To disable the Domain Agent running on the Administration Server, start the WebLogic Administration Server on the command line as follows:

On UNIX:

./startWebLogic.sh -DWLSAGENT_DISABLED=true

On Windows:

startWebLogic.cmd -DWLSAGENT_DISABLED=true

3. From your present working directory, move to the <MW_HOME>/user_projects/domains/<name_of_your_WebLogic_domain>/bin directory (On UNIX). On Windows, move to the <MW_HOME>\user_projects\domains\<name_of_your_WebLogic_domain</bin directory.

4. To disable the Domain Agent running on Managed Servers in the domain, start the Managed Servers on the command line as follows:

On UNIX:

./startManagedWebLogic.sh <name_of_your_Managed_Server> -DWLSAGENT_DISABLED=true

On Windows:

startManagedWebLogic.cmd <name_of_your_Managed_Server> -DWLSAGENT_DISABLED=true

11.8 Optional: Updating Oracle Identity Manager ConfigurationYou can update the <OHS_Instance_Home>/config/OHS/<ohs_name>/mod_wl_ohs.conf to front-end Oracle Identity Manager URLs with Oracle HTTP Server.

To do so, complete the following steps:

Open the mod_wl_ohs.conf file in a text editor and add appropriate entries, as in the following example:

<IfModule weblogic_module>WebLogicHost OIM_MANAGED_SERVER_HOSTWebLogicPort OIM_MANAGED_SERVER_PORTMatchExpression /oim*MatchExpression /admin*MatchExpression /xlWebApp*MatchExpression /Nexaweb*MatchExpression /workflowservice*MatchExpression /callbackService*MatchExpression /SchedulerService-web*MatchExpression /iam-consoles-faces*

</IfModule>

Optional: Updating Oracle Identity Manager Configuration


Replace the values of OIM_MANAGED_SERVER_HOST and OIM_MANAGED_SERVER_PORT with the values of Oracle Identity Manager Managed Server’s host and port.

After making the changes, restart Oracle HTTP Server. You can use the OPMN command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:





Updating the OIM Configuration When the OAM URL or Agent Profile ChangesYou can update the Oracle Identity Manager configuration when the name of the agent profile is modified or the OAM URL is modified.

To update Oracle Identity Manager configuration, complete the following steps:

1. Export the oim-config.xml file from metadata by running <IAM_ORACLE_HOME>/server/bin/weblogicExportMetadata.sh (on UNIX), and export the file - /db/oim-config.xml. On Windows operating systems, you can use the weblogicExportMetadata.bat file located in the same directory.

2. Update the file to use Oracle HTTP Server 10g Webgate by updating following element under the <ssoConfig> tag:

<webgateType>javaWebgate</webgateType> to <webgateType>ohsWebgate10g</webgateType>

3. Import oim-config.xml back to metadata by running <IAM_Home>/server/bin/weblogicImportMetadata.sh on UNIX. On Windows, use the weblogicImportMetadata.bat located in the same directory.


5. Click Identity and access > oim > oim(version). Right-click and select System MBean Browser. The System MBean Browser page is displayed.

6. Under Application Defined MBeans, select oracle.iam > Server:oim_server1 > Application: oim > XMLConfig > config.

7. Replace the front-end URL with the URL of Oracle HTTP Server. This should be the same Oracle HTTP Server that was used before installing Oracle HTTP Server 10g Webgate for Oracle Access Manager. Complete the following steps:

a. Under XMLConfig MBean, move to XMLConfig.DiscoveryConfig.

b. Update OimFrontEndURL with the URL of Oracle HTTP Server.

c. Click Apply.

8. Restart the OIM server.

12

Installing and Configuring Oracle HTTP Server 11g Webgate for Oracle Access Manager 12-1

12Installing and Configuring Oracle HTTPServer 11g Webgate for Oracle Access

Manager

This chapter describes how to install and configure Oracle HTTP Server 11g Webgate for Oracle Access Manager.

It discusses the following topics:

■ Installation Overview

■ Preparing to Install Oracle HTTP Server 11g Webgate for Oracle Access Manager

■ Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager

■ Post-Installation Steps

■ Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager

■ Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager

12.1 Installation OverviewInstalling Oracle HTTP Server 11g Webgate for Oracle Access Manager involves the following steps:

1. Installing Oracle HTTP Server 11g (11.1.1.5.0 or 11.1.1.6.0)

2. On Linux and Solaris operating systems: Installing third-party GCC libraries.

3. Running the Oracle HTTP Server Webgate Installer to install Oracle HTTP Server 11g Webgate for Oracle Access Manager

4. Verifying the installation of Oracle HTTP Server 11g Webgate for Oracle Access Manager

5. Completing post-installation configuration steps

6. Registering the new Webgate agent

Table 12–1 lists the Installers and tools used to install and configure Oracle HTTP Server 11g Webgate for Oracle Access Manager at different stages of the installation and configuration process.

Note: This step is required only if you are installing Oracle HTTP Server 11g 11.1.1.5.0

Preparing to Install Oracle HTTP Server 11g Webgate for Oracle Access Manager


12.2 Preparing to Install Oracle HTTP Server 11g Webgate for Oracle Access Manager

Oracle HTTP Server 11g Webgate for Oracle Access Manager requires Oracle HTTP Server 11g (11.1.1.5.0 or 11.1.1.6.0), which is included in the Oracle Web Tier 11g Installer. For information about installing Oracle HTTP Server, see the Oracle Fusion Middleware Installation Guide for Oracle Web Tier corresponding to the Oracle HTTP Server version you are using.

In addition, if you are using the Linux or Solaris operating system, you must install third-party GCC libraries on your machine before installing Oracle HTTP Server 11g Webgate for Oracle Access Manager. This step is required only if you are installing Oracle HTTP Server 11g 11.1.1.5.0


■ Oracle Fusion Middleware Certification

■ Installing and Configuring Oracle Access Manager 11g

■ Installing and Configuring Oracle HTTP Server 11g

■ Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)

■ Prerequisites for 64-Bit Oracle HTTP Server 11g Webgates on Windows 2003 and Windows 2008 64-Bit Platforms

12.2.1 Oracle Fusion Middleware CertificationReview Oracle HTTP Server 11g Webgate certification information, which is available in the Oracle Fusion Middleware Supported System Configurations document.

The Oracle Fusion Middleware Supported System Configurations document provides certification information for Oracle Fusion Middleware, including supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity and Access Management 11g Release 2 (11.1.2).

12.2.2 Installing and Configuring Oracle Access Manager 11gFor information about installing Oracle Access Manager, see Installing and Configuring Oracle Identity and Access Management (11.1.2). For information about configuring Oracle Access Manager in a new or existing WebLogic administration domain, see Configuring Oracle Access Management.

In addition, see the "Securing Communication Between OAM 11g Servers and WebGates" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access

Table 12–1 Installation and Configuration Tools

Task Tool

Install Oracle HTTP Server (11.1.1.5.0 or 11.1.1.6.0)

Oracle Web Tier Installer based on the version you want to use

Install Oracle HTTP Server Webgate 11g

Oracle HTTP Server Webgate 11g Installer

Register Webgate Agent RREG Tool, or the Oracle Access Manager Administration Console

Start or Stop Process Instances

OPMN Command-Line Tool



Management for information about configuring Oracle Access Manager in Open, Simple, or Cert mode.

12.2.3 Installing and Configuring Oracle HTTP Server 11gOracle HTTP Server 11g Webgate for Oracle Access Manager is supported on Oracle HTTP Server 11.1.1.5.0, and Oracle HTTP Server 11.1.1.6.0. You can choose to install any of these versions.

If you do not have Oracle HTTP Server 11.1.1.2.0 installed, you can download the Oracle Web Tier 11g (11.1.1.2.0) Installer from the Oracle Technology Network (OTN):

http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html



12.2.4 Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)If you are installing Oracle HTTP Server 11.1.1.5.0 Webgate for Oracle Access Manager on a Linux or Solaris operating system, you must download and install third-party GCC libraries on your machine. See Table 12–2 for more information.

You can download the appropriate GCC library from the following third-party website:

http://gcc.gnu.org/

Note: If you are installing Oracle HTTP Server 11.1.1.5.0, you must first install Oracle HTTP Server 11.1.1.2.0 software and patch it to Oracle HTTP Server 11.1.1.5.0 using the Patch Set Installer.

Note: For information about installing and configuring Oracle HTTP Server 11g software, see the "Installing Oracle Web Tier" topic in the Oracle Fusion Middleware Installation Guide for Oracle Web Tier.

For information about patching Oracle HTTP Server 11.1.1.2.0 to 11.1.1.5.0 using the corresponding Patch Set Installer, see the "Applying the Latest Oracle Fusion Middleware Patch Set" topic in the Oracle Fusion Middleware Patching Guide.

After you install and configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.

Note: You must download sources from this website and compile them to obtain the GCC libraries.

For some operating systems, the required libraries may be available as installable packages from the support websites of operating system vendors.



12.2.4.1 Verifying the GCC Libraries Version on Linux and Solaris Operating SystemsPerform the following checks to verify the version of GCC libraries:

On the Linux32 on i386 platform:Run the following commands and ensure that their output is always greater than 0:

strings -a libgcc_s.so.1 | grep -c "GCC_3.0"strings -a libgcc_s.so.1 | grep -v "GCC_3.3.1" | grep -c "GCC_3.3"file libgcc_s.so.1 | grep "32-bit" | grep -c "80386" file libstdc++.so.5 | grep "32-bit" | grep -c "80386"

On the Linux 64 on x86-64 platform:Run the following commands and ensure that their output is always greater than 0:

strings -a libgcc_s.so.1 | grep -c "GCC_3.0"strings -a libgcc_s.so.1 | grep -v "GCC_3.3.1" | grep -c "GCC_3.3"strings -a libgcc_s.so.1 | grep -c "GCC_4.2.0"file libgcc_s.so.1 | grep "64-bit" | grep -c "x86-64"file -L libstdc++.so.6 | grep "64-bit" | grep -c "x86-64"

On the Solaris 64 on SPARC platform:Run the following commands and ensure that their output is always greater than 0:

strings -a libgcc_s.so.1 | grep -c "GCC_3.0"strings -a libgcc_s.so.1 | grep -v "GCC_3.3.1" | grep -c "GCC_3.3"file libgcc_s.so.1 | grep "64-bit" | grep -c "SPARC"file libstdc++.so.5 | grep "64-bit" | grep -c "SPARC"

12.2.5 Prerequisites for 64-Bit Oracle HTTP Server 11g Webgates on Windows 2003 and Windows 2008 64-Bit Platforms

If you are using Windows 2003 or Windows 2008 64-bit operating systems, you must install Microsoft Visual C++ 2005 libraries on the machine hosting the Oracle HTTP Server 11g Webgate for Oracle Access Manager.

These libraries are included in the Microsoft Visual C++ 2005 SP1 Redistributable Package (x64), which can be downloaded from the following website:

http://www.microsoft.com/DownLoads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en

In addition, install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update, which can be downloaded from the following website:

Table 12–2 Versions of GCC Third-Party Libraries for Linux and Solaris

Operating System Architecture GCC Libraries

Required Library Version

Linux 32-bit x86 libgcc_s.so.1

libstdc++.so.5

3.3.2

Linux 64-bit x64 libgcc_s.so.1

libstdc++.so.6

3.4.6

Solaris 64-bit SPARC libgcc_s.so.1

libstdc++.so.5

3.3.2

Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager


http://www.microsoft.com/downloads/en/details.aspx?familyid=fb01abe6-9099-4544-9aec-0ac13f19bc50&displaylang=en

12.3 Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager


■ Launching the Installer

■ Installation Flow and Procedure

12.3.1 Launching the InstallerYou can download the Oracle HTTP Server 11g Webgate for Oracle Access Manager Installer from the Oracle Technology Network (OTN):

http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html



Start the Installer by executing one of the following commands:

UNIX: <full path to the runInstaller directory>./runInstaller -jreLoc <WebTier_Home>/jdk

Windows: <full path to the setup.exe directory>\ setup.exe -jreLoc <WebTier_Home>\jdk

After the Installer starts, the Welcome screen appears. Continue by referring to the section Installation Flow and Procedure for installing Oracle HTTP Server 11g Webgate for Oracle Access Manager.

12.3.2 Installation Flow and ProcedureFollow the instructions in Table 12–3 to install Oracle HTTP Server 11g Webgate for Oracle Access Manager.

If you need additional help with any of the installation screens, click Help to access the online help.

Note: When you install Oracle HTTP Server, the jdk directory is created under the <WebTier_Home> directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JDK is located in D:\oracle\Oracle_WT1\jdk, then launch the installer from the command prompt as follows:

D:\setup.exe -jreLoc D:\oracle\Oracle_WT1\jdk



12.4 Post-Installation StepsYou must complete the following steps after installing Oracle HTTP Server 11g Webgate for Oracle Access Manager:

1. Move to the following directory under your Oracle Home for Webgate:


<Webgate_Home>/webgate/ohs/tools/deployWebGate


<Webgate_Home>\webgate\ohs\tools\deployWebGate

2. On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location:


./deployWebGateInstance.sh -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>


deployWebGateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>

Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate, as in the following example:

<MW_HOME>/Oracle_OAMWebGate1

Table 12–3 Installation Flow


1 Welcome Screen Click Next to continue.

2 Prerequisite Checks Screen Click Next to continue.

3 Specify Installation Location Screen Specify the Middleware Home and Oracle Home locations.

Note that the Middleware Home should contain an Oracle Home for Oracle Web Tier. Oracle WebLogic Server is not a prerequisite for installing Oracle HTTP Server Webgate. However, Oracle HTTP Server, which is a component of Oracle Web Tier, requires only the directory structure for the Middleware home.

For more information about these directories, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in Oracle Fusion Middleware Installation Planning Guide.


5 Installation Summary Screen Verify the information on this screen.

Click Install to begin the installation.

6 Installation Progress Screen If you are installing on a UNIX system, you may be asked to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.


7 Installation Complete Screen Click Finish to dismiss the installer.



The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server, as in the following example:

<MW_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1

Note that an Instance Home for Oracle HTTP Server is created after you configure Oracle HTTP Server. This configuration is performed after installing Oracle HTTP Server 11.1.1.5.0 or Oracle HTTP Server 11.1.1.6.0.

3. Run the following command to ensure that the LD_LIBRARY_PATH variable contains <Oracle_Home_for_Oracle_HTTP_Server>/lib:<Webgate_Installation_Directory>/webgate/ohs/lib

On UNIX (depending on the shell):

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Oracle_Home_for_Oracle_HTTP_Server>/lib:<Webgate_Installation_Directory>/webgate/ohs/lib

On Windows:

Set the <Webgate_Installation_Directory>\webgate\ohs\lib location and the <Oracle_Home_for_Oracle_HTTP_Server>\lib location in the PATH environment variable. Add a semicolon (;) followed by this path at the end of the entry for the PATH environment variable.

4. On UNIX operating systems, move to:

<Webgate_Home>/webgate/ohs/tools/setup/InstallTools

On Windows operating systems, move to:

<Webgate_Home>\webgate\ohs\tools\EditHttpConf

5. On the command line, run the following command to copy the apache_webgate.template from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:


./EditHttpConf -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]


EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]

Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate for Oracle Access Manager and created as the Oracle Home for Webgate, as in the following example:

<MW_HOME>/Oracle_OAMWebGate1

The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server, as in the following example:

Note: The -oh <WebGate_Oracle_Home> and -o <output_file> parameters are optional.

Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager


<MW_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1

The <output_file> is the name of the temporary output file used by the tool, as in the following example:

webgate.conf

Note that an Instance Home for Oracle HTTP Server is created after you configure Oracle HTTP Server. This configuration is performed after installing Oracle HTTP Server 11.1.1.5.0 or Oracle HTTP Server 11.1.1.6.0.

12.5 Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager

After completing the installation of Oracle HTTP Server 11g Webgate for Oracle Access Manager, including the post-installation steps, you can examine the oraInst.loc log file to verify the installation. The oraInst.loc file specifies the location of the Oracle Inventory directory where the Installer creates the inventory of Oracle products installed on the system.

On UNIX, if you do not know the location of your Oracle Inventory directory, you can find it in the <Webgate_Home>/oraInst.loc file.

On Windows, the default location for the inventory directory is C:\Program Files\Oracle\Inventory.

12.6 Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager

Before you can get started with the new Oracle HTTP Server 11g Webgate agent for Oracle Access Manager, you must complete the following tasks:

1. Register the New Webgate Agent

2. Copy Generated Files and Artifacts to the Webgate Instance Location

3. Restart the Oracle HTTP Server Instance

12.6.1 Register the New Webgate AgentYou can register the new Webgate agent with Oracle Access Manager by using the Oracle Access Manager Administration Console. For more information, see the "Registering Partners (Agents and Applications) by Using the Console" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

Alternatively, you can use the RREG command-line tool to register a new Webgate agent. The tool can be run in two modes: In-Band mode, and Out-Of-Band mode. For more information, see the "Registering Agents and Applications Remotely" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

Setting Up the RREG Tool1. After installing and configuring Oracle Access Manager, navigate to the following

location:


<IAM_Home>/oam/server/rreg/client


Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager


<IAM_Home>\oam\server\rreg\client

2. On the command line, untar the RREG.tar.gz file using gunzip, as in the following example:

gunzip RREG.tar.gz

tar -xvf RREG.tar

The tool used to register the agent is located in the following location:


<RREG_Home>/bin/oamreg.sh


<RREG_Home>\bin\oamreg.bat

Set the following environment variables in the oamreg.sh script or in the oamreg.bat script:

■ OAM_REG_HOME - Set this variable to the absolute path to the directory where you extracted the contents of RREG.tar/rreg.

■ JAVA_HOME - Set this variable to the absolute path to the directory where Java/JDK is installed on your machine.

Updating the OAM11gRequest.xml FileYou must update the agent parameters, such as agentName, in the OAM11GRequest.xml file located in the <RREG_Home>\input directory on the Windows operating system. On the UNIX operating system, the file is located in the <RREG_Home>/input directory.

Modify the following required parameters in the OAM11GRequest.xml file or in the OAM11GRequest_short.xml file:

■ <serverAddress>

Specify the host and the port of the Administration Server.

■ <agentName>

Specify any custom name for the agent.

■ <agentBaseUrl>

Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.

■ <preferredHost>

Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.

Note: <RREG_Home> is the directory where you extracted the contents of RREG.tar.gz/rreg to.

Note: The OAM11GRequest.xml file or the short version OAM11GRequest_short.xml is used as a template. You can copy this template file and use.



■ <security>

Specify the security mode, such as open, based on the Webgate installed.

■ <primaryServerList>

Specify the host and the port of Managed Server for Oracle Access Manager proxy, under a <Server> container element.

After modifying the file, save the file and close.

In-Band ModeIf you run the RREG tool once after updating the Webgate parameters in the OAM11GRequest.xml file, the files and artifacts required by Webgate are generated in the following directory:


<RREG_Home>/output/<agent_name>


<RREG_Home>\output\<agent_name>

Complete the following steps:

1. Open the OAM11GRequest.xml file, which is located in the input directory (<RREG_Home>/input/ on UNIX, and <RREG_Home>\input on Windows). <RREG_Home> is the directory where you extracted the contents of RREG.tar.gz/rreg to. Edit this XML file and fill in parameters for the new Oracle HTTP Server Webgate for Oracle Access Manager.

2. Run the following command on the command line:


./<RREG_Home>/bin/oamreg.sh inband input/OAM11GRequest.xml


<RREG_Home>\bin\oamreg.bat inband input\OAM11GRequest.xml

Out-Of-Band ModeIf you are an end-user with no access to the server, you can email your updated OAM11GRequest.xml file to the system administrator, who can run RREG in the Out-Of-Band mode. You can collect the generated <AgentID>_Response.xml file from the system administrator and run RREG on this file to obtain the Webgate files and artifacts you require.

After you receive the generated <AgentID>_Response.xml file from the administrator, you must manually copy the file to the input directory on your machine.

Complete the following steps:

1. If you are an end-user with no access to the server, open the OAM11GRequest.xml file, which is located in the input directory (<RREG_Home/input/ on UNIX, and <RREG_Home\input\ on Windows). <RREG_

Note: You can run RREG either on a client machine or on the server machine. If you are running it on the server machine, you must manually copy the artifacts back to the client machine.



Home> is the directory where you extracted the contents of RREG.tar.gz/rreg to. Edit this XML file and fill in parameters for the new Oracle HTTP Server Webgate for Oracle Access Manager. Send the updated file to your system administrator.

2. If you are an administrator, copy the updated OAM11GRequest.xml file to the input directory on your machine (<RREG_Home>/input/ on UNIX, and <RREG_Home>\input\ on Windows). This is the file you received from the end-user. Move to your (administrator’s) RREG_Home directory and run the following command on the command line:


./<RREG_Home>/bin/oamreg.sh outofband input/OAM11GRequest.xml


<RREG_Home>\bin\oamreg.bat outofband input\OAM11GRequest.xml

An <Agent_ID>_Response.xml file is generated in the output directory on the administrator’s machine (<RREG_Home>/output/ on UNIX, and <RREG_Home>output\ on Windows). Send this file to the end-user who sent you the updated OAM11GRequest.xml file.

3. If you are an application owner, copy the generated <Agent_ID>_Response.xml file to your input directory (<RREG_Home>/input/ on UNIX, and <RREG_Home>input\ on Windows). This is the file you received from the administrator. Move to your (client’s) RREG home directory and run the following command on the command line:


./<RREG_Home>/bin/oamreg.sh outofband input/<Agent_ID>_Response.xml


<RREG_Home>\bin\oamreg.bat outofband input\<Agent_ID>_Response.xml

Files and Artifacts Generated by RREGRegardless of the method or mode you use to register the new Webgate agent, the following files and artifacts are generated in the <RREG_Home>/output/<Agent ID> directory:

■ cwallet.sso

■ ObAccessClient.xml

■ In the SIMPLE mode, RREG generates:

Note: If you register the Webgate agent using the Oracle Access Manager Administration Console, as described in the "Registering Partners (Agents and Applications) by Using the Console" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager, you must manually copy the files and artifacts generated after the registration from the server machine (the machine where Oracle Access Manager Administration Console is running) to the client machine. The files and artifacts are generated in the <MW_HOME>/user_projects/domains/<name_of_the_WebLogic_domain_for_OAM>/output/<Agent_ID> directory.



– password.xml, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be the same as the passphrase used on the server.

– aaa_key.pem

– aaa_cert.pem

■ In the CERT mode, RREG generates:

password.xml, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.

12.6.2 Copy Generated Files and Artifacts to the Webgate Instance LocationAfter RREG generates these files and artifacts, you must manually copy them (cwallet.sso, ObAccessClient.xml, password.xml, aaa_key.pem, aaa_cert.pem, based on the security mode you are using) from the <RREG_Home>/output/<Agent ID> directory to the <Webgate_Instance_Home> directory.

12.6.2.1 OPEN ModeIn OPEN mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:


■ cwallet.sso

12.6.2.2 SIMPLE ModeIn SIMPLE mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:


■ cwallet.sso

■ password.xml

In addition, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config/simple directory:

■ aaa_key.pem

■ aaa_cert.pem

12.6.2.3 CERT ModeIn CERT mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:

Note: You can use these files generated by RREG to generate a certificate request and to get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existing aaa_cert.pem and aaa_chain.pem files along with password.xml and aaa_key.pem.




■ cwallet.sso

■ password.xml

After copying the files, you must either generate a new certificate or migrate an existing certificate.

Generating a New Certificate (Only for CERT Mode)You can generate a new certificate as follows:

1. From your present working directory, move to the <Webgate_Home>/webgate/ohs/tools/openssl directory.

2. On the command line, create a certificate request as follows:

./openssl req -utf8 -new -nodes -config openssl_silent_ohs11g.cnf -keyout aaa_key.pem -out aaa_req.pem -rand <Webgate_Home>/webgate/ohs/config/random-seed

3. Self-sign the certificate as follows:

./openssl ca -config openssl_silent_ohs11g.cnf -policy policy_anything -batch -out aaa_cert.pem -infiles aaa_req.pem

4. Copy the following generated certificates to the <Webgate_Instance_Home>/webgate/config directory:

■ aaa_key.pem

■ aaa_cert.pem

■ cacert.pem located in the simpleCA directory

Migrating an Existing Certificate (Only for CERT Mode)If you want to migrate an existing certificate (aaa_key.pem, aaa_cert.pem, and aaa_chain.pem), be sure to remember the passphrase that you used to encrypt aaa_key.pem. You must enter the same passphrase during the RREG registration process. If you do not use the same passphrase, the password.xml file generated by RREG does not match the paraphrase used to encrypt the key.

If you enter the same passphrase, you can copy these certificates as follows:

1. From your present working directory, move to the <Webgate_Instance_Home>/webgate/config directory.

2. Copy the following certificates to the <Webgate_Instance_Home>/webgate/config directory:

■ aaa_key.pem

■ aaa_cert.pem

■ aaa_chain.pem

Note: After copying the cacert.pem file, you must rename the file to aaa_chain.pem.



12.6.3 Restart the Oracle HTTP Server InstanceYou can use the Oracle Process Manager and Notification Server (OPMN) command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:





13

Lifecycle Management 13-1

13 Lifecycle Management

This chapter explains how to address situations where a lifecycle change event occurs for an Oracle Identity and Access Management component that is integrated with one or more components.

Topics include:

■ How Lifecycle Events Impact Integrated Components

■ LCM for Oracle Identity Manager

■ LCM for Oracle Access Manager

■ LCM for Oracle Adaptive Access Manager

■ LCM for Oracle Identity Navigator

■ References

13.1 How Lifecycle Events Impact Integrated ComponentsFollowing are ways in which certain lifecycle events, sometimes referred to as rewiring, affect a component that is already integrated with others:

■ Reassociation

The hostname or port of an integrated component is reassociated. For example, the hostname of an OVD server changes.

■ Test to Production

When entities in a test or pilot environment are migrated into a pre-installed production environment, this can affect dependent components. For example, moving Oracle Identity Manager Navigator to a new production environment.

13.2 LCM for Oracle Identity ManagerLifecycle management events for Oracle Identity Manager include:

■ reassociation when the host or port changes for these components:

– Oracle Virtual Directory

Note: For some components, "rewiring" to achieve Test to Production is not feasible, and it is advisable to simply create a new production instance of the server. Oracle Identity Federation is an example of a server that is freshly installed in the production environment rather than changing the test configuration.

LCM for Oracle Access Manager


– Oracle SOA Suite

– MDS

■ moving metadata from a test environment to a production environment

Refer to the following sources for lifecycle management procedures relating to OIM:

■ "Oracle Virtual Directory Host and Port Changes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

■ "Changing OVD Password" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

■ "SPML Client Host and Port Changes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

■ "SOA Host and Port Changes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

■ "Oracle Identity Manager Database Host and Port Changes" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

■ "Oracle Identity Manager (OIM) Rewiring with Existing Oracle Adaptive Access Manager (OAAM)" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager

■ "Changing Oracle Identity Manager Database Password" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

■ "Configuring LDAP Adapters" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory

■ "Adding a Component Link to the Product Launcher by Using Product Discovery" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator

■ "Editing Adapter Plug-Ins" in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory

■ "Move Oracle Identity Manager to a New Production Environment" in the Oracle Fusion Middleware Administrator's Guide

■ "Move Oracle Identity Manager to an Existing Production Environment" in the Oracle Fusion Middleware Administrator's Guide

13.3 LCM for Oracle Access ManagerLifecycle events for Oracle Access Manager include replicating the policy configuration information from the test system into production.

Refer to the following sources for lifecycle management procedures relating to Oracle Access Manager:


■ "Moving OAM 11g Data from a Test to a Production Deployment" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management

13.4 LCM for Oracle Adaptive Access ManagerLifecycle events for Oracle Adaptive Access Manager include reassociation when the host or port changes for the following components:

References

Lifecycle Management 13-3

■ Oracle Virtual Directory

■ Oracle Internet Directory

■ Oracle Database


Refer to the following sources for lifecycle management procedures relating to Oracle Adaptive Access Manager:


■ "Oracle Virtual Directory (OVD) Rewiring with Existing Oracle Adaptive Access Manager (OAAM)" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager

■ "Oracle Identity Manager (OIM) Rewiring with Existing Oracle Adaptive Access Manager (OAAM)" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager

■ "OID Rewiring with Existing OAAM (in Cases without OVD)" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager

■ "Database Rewiring with Existing OAAM" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager

■ "Move Oracle Adaptive Access Manager to a New Production Environment" in the Oracle Fusion Middleware Administrator's Guide

■ "Move Oracle Adaptive Access Manager to an Existing Production Environment" in the Oracle Fusion Middleware Administrator's Guide

13.5 LCM for Oracle Identity NavigatorLifecycle events for Oracle Identity Navigator include migrating from test to production, and rewiring the integration with Oracle Business Intelligence Publisher.

Refer to the following sources for lifecycle management procedures relating to Oracle Identity Navigator:

■ "Migrating Oracle Identity Navigator from Test to Production" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.

■ "Configuring Oracle Business Intelligence Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.


■ "Migrating Oracle Identity Navigator from Test to Production" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator

13.6 ReferencesFor additional information about lifecycle management in Oracle Fusion Middleware, see "Part V Advanced Administration: Expanding Your Environment" in the Oracle Fusion Middleware Administrator's Guide.

References


Part IIIPart IIIAppendixes

Part III contains the following appendixes:

■ Appendix A, "Oracle Identity and Access Management 11g Release 2 (11.1.2) Software Installation Screens"

■ Appendix B, "Oracle Identity Manager Configuration Screens"

■ Appendix C, "Starting or Stopping the Oracle Stack"

■ Appendix D, "Preconfiguring Oracle Directory Server Enterprise Edition (ODSEE)"

■ Appendix E, "Preconfiguring Oracle Unified Directory (OUD)"

■ Appendix F, "Preconfiguring Oracle Internet Directory (OID)"

■ Appendix G, "Deinstalling and Reinstalling Oracle Identity and Access Management"

■ Appendix H, "Performing Silent Installations"

■ Appendix I, "Troubleshooting the Installation"

■ Appendix J, "Oracle Adaptive Access Manager Partition Schema Reference"

■ Appendix K, "Software Deinstallation Screens"

Oracle Identity and Access Management 11g Release 2 (11.1.2) Software Installation Screens A-1

AOracle Identity and Access Management 11g

Release 2 (11.1.2) Software InstallationScreens

This appendix describes the screens of the Oracle Identity and Access Management 11g software Installation Wizard that enables you to install Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social.

It contains the following topics:

■ Welcome

■ Install Software Updates

■ Prerequisite Checks

■ Specify Installation Location

■ Installation Summary

■ Installation Progress

■ Installation Complete

A.1 WelcomeThe Welcome screen is displayed each time you start the Oracle Identity and Access Management 11g Installer wizard.

Install Software Updates

A-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

Figure A–1 Welcome Screen


A.2 Install Software UpdatesThis screen helps to quickly and easily search for the latest software updates, including important security updates, via your My Oracle Support account.


Figure A–2 Install Software Updates

A.3 Prerequisite ChecksThe installation program ensures that you have a certified version, the correct software packages, sufficient space and memory to perform the operations that you have selected. If any issues are detected, errors appear on this page.

The following example screen applies to Windows operating systems only.

Specify Installation Location


Figure A–3 Prerequisite Checks Screen

On this screen, you can select to Abort, Retry, or Continue with the installation.

If all the prerequisite checks pass inspection, click Next to continue.

A.4 Specify Installation LocationIn this screen, you enter a location for the new Oracle Identity and Access Management 11g software being installed.


Figure A–4 Specify Installation Location Screen

Ensure that Oracle WebLogic Server is already installed on your machine. Navigate to the Oracle Fusion Middleware Home directory by clicking Browse. Enter a name for the new Oracle Home directory for Oracle Identity and Access Management 11g components.

If the Middleware location does not exist, you must install WebLogic Server and create a Middleware Home directory, as described in Section 3.2.4, "WebLogic Server and Middleware Home Requirements", before running the Oracle Identity and Access Management Installer.


Note: If you do not specify a valid Middleware Home directory on the Specify Installation Location screen, the Installer displays a message and prompts you to confirm whether you want to proceed with the installation of only Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager. These two components of Oracle Identity Manager do not require a Middleware Home directory.

If you want to install only Oracle Identity Manager Design Console or Remote Manager, you do not need to install Oracle WebLogic Server or create a Middleware Home directory on the machine where Design Console or Remote Manager is being configured.

Installation Summary


A.5 Installation SummaryThis screen displays a summary of your Oracle Identity and Access Management 11g installation.

Figure A–5 Installation Summary Screen

Review the contents of this screen, and click Install to start installing the Oracle Identity and Access Management 11g software.

A.6 Installation ProgressThis screen displays the progress of the Oracle Identity and Access Management installation.


Figure A–6 Installation Progress Screen

If you want to quit before the installation is completed, click Cancel. The installation progress indicator gives a running inventory of the files that are being installed. If you are only installing the software binaries, installation is complete after all of the binaries have been installed.

A.7 Installation CompleteThis screen displays a summary of the installation parameters, such as Location, Disk Space, and Applications. To save the installation configuration in a response file, which is used to perform silent installations, click Save.

Installation Complete


Figure A–7 Installation Complete Screen

Click Finish to complete the installation process.

Oracle Identity Manager Configuration Screens B-1

BOracle Identity Manager Configuration

Screens

This appendix describes the screens of the Oracle Identity Manager 11g Configuration Wizard that enables you to configure Oracle Identity Manager Server, Oracle Identity Manager Design Console, and Oracle Identity Manager Remote Manager.

This appendix contains the following topics:

■ Welcome

■ Components to Configure

■ Database

■ WebLogic Admin Server

■ OIM Server

■ LDAP Server

■ LDAP Server Continued

■ Configuration Summary

B.1 WelcomeThe Welcome screen is displayed each time you start the Oracle Identity Manager Configuration Wizard.

Welcome

B-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

Figure B–1 Welcome Screen

You can use the Oracle Identity Manager Configuration Wizard only once during initial setup for configuring Oracle Identity Manager Server. After configuring Oracle Identity Manager Server using this wizard, you cannot re-run this wizard to modify the configuration of Oracle Identity Manager. You must use Oracle Enterprise Manager Fusion Middleware Control to make such modifications. However, you can run this wizard on other machines, where Design Console or Remote Manager is configured, as and when needed.

Ensure that you have configured Oracle Identity Manager in a new or existing WebLogic domain before launching the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server, Design Console on Windows, and Remote Manager.

If you are configuring Server, you must run this wizard on the machine where the WebLogic Administration Server is running (the Administration Server for the domain in which Oracle Identity Manager is deployed). Ensure that the Administration Server is up and running before you start configuring Oracle Identity Manager Server.

If you are configuring only Design Console, you must run this wizard on the Windows machine where Design Console should be configured. If you are configuring only Remote Manager, you must run this wizard on the machine where Remote Manager is being configured. Note that the Oracle Identity Manager Server should be configured before you can configure Design Console or Remote Manager.



B.2 Components to ConfigureUse this screen to select the Oracle Identity Manager components that you want to configure. Oracle Identity Manager components include Server, Design Console, and Remote Manager.

Before configuring Oracle Identity Manager Server, Design Console or Remote Manager, ensure that you have configured Oracle Identity Manager in a new or existing WebLogic domain using the Oracle Fusion Middleware Configuration Wizard.

Figure B–2 Components to Configure Screen

Table B–1 describes the Oracle Identity Manager components that you can choose.

Table B–1 Oracle Identity Manager Configuration Choices

Option Description

Configure all components on this screen

To configure Oracle Identity Manager Server, Design Console, and Remote Manager simultaneously on the same machine, select the Oracle Identity Manager option.

Configure only Oracle Identity Manager Server

To configure only Oracle Identity Manager Server, select the OIM Server option. This option is selected, by default. Note that WebLogic Administration Server for the domain (the domain in which Oracle Identity Manager is deployed) should be up and running.

Database


B.3 DatabaseIn this screen, you specify the database and schema information. Note that you should have created and loaded Oracle Identity Manager schemas using the Oracle Fusion Middleware Repository Creation Utility (RCU) before configuring Oracle Identity Manager Server. For information about creating and loading Oracle Identity Manager schemas, see Section 3.2.3, "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".

Figure B–3 Database Screen

Configure only Oracle Identity Manager Design Console

To configure only Oracle Identity Manager Design Console, select the OIM Design Console option. However, note that Oracle Identity Manager Server must be configured either on the local machine or on a remote machine before you can run Design Console on development machines. Design Console is supported on Windows operating systems only.

Configure only Oracle Identity Manager Remote Manager

To configure only Oracle Identity Manager Remote Manager, select the OIM Remote Manager option. However, note that Oracle Identity Manager Server must be configured either on the local machine or on a remote machine before you can run Remote Manager.

Note: You can also select any combination of two of the three Oracle Identity Manager components.

Table B–1 (Cont.) Oracle Identity Manager Configuration Choices

Option Description


You can use the same database or different databases for creating the Oracle Identity Manager schema and the Metadata Services schema.

Table B–2 describes the database connection information that you must specify.

After entering information in the fields, click Next to continue.

B.4 WebLogic Admin ServerIn this screen, you specify the t3 URL, user name and password for the WebLogic administration domain in which the Oracle Identity Manager application is deployed. Ensure that the Administration Server is up and running.

Table B–2 Fields in the Database Screen

Field Description

Connect String Enter the full path, listen port, and service name for your Oracle database. For a single host instance, the format of connect string is hostname:port:servicename.

For example, if the hostname is aaa.bbb.com, port is 1234, and the service name is xxx.bbb.com, then you must enter the connect string for a single host instance as follows:

aaa.bbb.com:1234:xxx.bbb.com

If you are using a Real Application Cluster database, the format of the database connect string is as follows:

hostname1:port1:instancename1^host2:port2:instancename2@servicename

OIM Schema User Name Enter the name of the schema user that you created for Oracle Identity Manager using the Oracle Fusion Middleware Repository Creation Utility.

If you upgraded your existing Oracle Identity Manager schema to 11g Release 1 (11.1.1), enter the user name for your existing schema.

OIM Schema Password Enter the password for the Oracle Identity Manager schema user that you set while creating the schema using the Oracle Fusion Middleware Repository Creation Utility (RCU).

If you upgraded your existing Oracle Identity Manager schema to 11g Release 1 (11.1.1), enter the password for your existing schema.

Select different database for MDS schema

Select this check box if you want to use a different database for the Metadata Services (MDS) schema.

MDS Connect String If you are using a different database for the Metadata Services (MDS) schema, enter the full path, listen port, and service name for the database associated with the MDS schema. The format of the connect string is similar to that of the standard Connect String.

MDS Schema User Name Enter the name of the schema user that you created for AS Common Services - Metadata Services by using the Oracle Fusion Middleware Repository Creation Utility (RCU).

If you upgraded your existing Metadata Services schema to 11g Release 1 (11.1.1), enter the user name for your existing schema.

MDS Schema Password Enter the password for the AS Common Services - Metadata Services schema user that you set while creating the schema by using the Oracle Fusion Middleware Repository Creation Utility (RCU).

If you upgraded your existing Oracle Identity Manager schema to 11g Release 1 (11.1.1), enter the password for your existing schema.

OIM Server


Figure B–4 WebLogic Admin Server Screen

In the WebLogic Admin Server URL text box, enter the t3 URL of the Administration Server for the WebLogic domain in the following format:

t3://hostname:port

In the UserName text box, enter the WebLogic Administrator user name.

In the Password text box, enter the WebLogic Administrator password.


B.5 OIM ServerUse this screen to set a password for the for the system administrator (xelsysadm).


Figure B–5 OIM Server Screen

Table B–3 describes the Oracle Identity Manager Server parameters that you can configure.

Table B–3 Oracle Identity Manager Server Configuration Parameters

Field Name Description

OIM Administrator Password

Enter a new password for the administrator.

A valid password contains at least six characters, begins with an alphabetic character, and includes at least one number, one uppercase letter and one lowercase letter. The password cannot contain first name, last name, or login name of Oracle Identity Manager.

Note that you are not prompted to enter this password in upgrade scenarios. You must set a password only if you are performing a new 11g installation.

Confirm Password Enter the new password again to confirm.

OIM HTTP URL Enter the http URL that front-ends the Oracle Identity Manager application. For example, http://localhost:7002.

By default, this field contains the URL of the Oracle Identity Manager Managed Server.

KeyStore Password Enter new password for the keystore.

A valid password can contain 6 to 30 characters, begin with an alphabetic character, and use only alphanumeric characters and special characters like Underscore (_), Dollar ($), Pound (#). The password must contain at least one number.

LDAP Server


Enabling OIM-LDAP SynchronizationIn this screen, you can enable synchronization of Oracle Identity Manager roles, users, and their hierarchy to an LDAP directory.

If you want to enable LDAP sync, you must first set up LDAP Sync for Oracle Identity Manager (OIM) before selecting the Enable LDAP Sync option on this screen. For information about setting up OIM-LDAP Sync, see Section 5.7.5, "Completing the Prerequisites for Enabling LDAP Synchronization". After completing the prerequisites for enabling LDAP Synchronization, select the Enable LDAP Sync option.


B.6 LDAP ServerThis screen is displayed only if you select the Enable LDAP Sync option on the BI Publisher screen. In the LDAP Server screen, you should specify the authentication information for the Directory Server, as you want to synchronize Oracle Identity Manager roles, users, and their hierarchy to an LDAP directory.

Figure B–6 LDAP Server Screen

Table B–4 describes the parameters that you must specify.

Confirm KeyStore Password

Enter the new password again to confirm.

Table B–3 (Cont.) Oracle Identity Manager Server Configuration Parameters




B.7 LDAP Server ContinuedThis screen is a continuation of the LDAP Server screen.

Figure B–7 LDAP Server Continued Screen

Table B–4 LDAP Server Information


Directory Server Type

Select the desired Directory Server from the dropdown list.

Directory Server ID

Enter the Directory Server ID.

Server URL Enter the LDAP URL in the format:

ldap://oid_host:oid_port

Server User Enter the user name for the Directory Server administrator.

For example: cn=oimAdminUser,cn=Users,dc=mycompany,dc=com

Server Password Enter the OIM admin password

Server SearchDN Enter the Distinguished Names (DN).

For example, dc=acme, dc=com

This is the top-level container for users and roles in LDAP that is used for Oracle Identity Manager for reconciliation purposes.

Configuration Summary


Table B–5 describes the LDAP parameters that you must specify.


B.8 Configuration SummaryThis screen displays a list of the applications or components you have selected for configuration. It includes the following information:

■ Location of your installation

■ Disk space that will be used for the installation

■ Applications or components you have selected for configuration

■ Configuration choices you made on different screens in the Oracle Identity Manager Configuration Wizard

Table B–5 LDAP Server Continued Information


LDAP RoleContainer

Enter a name for the container that will be used as a default container of roles in the LDAP directory.

LDAP RoleContainer Description

Type a description for the role container.

LDAP UserContainer

Enter a name for the container that will be used as a default container of users in the LDAP directory.

LDAP UserContainer Description

Type a description for the user container.

User Reservation Container

Enter a name for the container that will be used for reserving user names in the LDAP directory while their creation is being approved in Oracle Identity Manager. When the user names are approved, they are moved from the reservation container to the user container in the LDAP directory.


Figure B–8 Configuration Summary Screen

Review this summary screen.

Additionally, you can select to create a response file from your installation selections by clicking on the Save button in the Save Response File field. A response file can be used for silent or non-interactive installations of software requiring no or very little user input.

Click Configure to start configuring the selected Oracle Identity Manager components.

Configuration Summary


Starting or Stopping the Oracle Stack C-1

CStarting or Stopping the Oracle Stack

You must start or stop the components of the Oracle stack in a specific order. Oracle Stack refers to Administration Server for the WebLogic Server domain, the system components that are managed by Oracle Process Manager and Notification Server, and the Managed Servers, which are controlled by Node Manager.

This appendix describes that order and contains the following topics:

■ Starting the Stack

■ Stopping the Stack

■ Restarting Servers

C.1 Starting the StackAfter completing the installation and domain configuration, you must start the Administration Server and various Managed Servers to get your deployments up and running:

1. To start the Administration Server, run the startWebLogic.sh (on UNIX operating systems) or startWebLogic.cmd (on Windows operating systems) script in the directory where you created your new domain.

On UNIX systems:

MW_HOME/user_projects/domains/domain_name/startWebLogic.sh

On Windows systems:

MW_HOME\user_projects\domains\domain_name\startWebLogic.cmd

Note: When executing the startManagedWebLogic and stopManagedWebLogic scripts described in the following topics:

■ SERVER_NAME represents the name of the Oracle WebLogic Managed Server, such as wls_oif1, wls_ods1, or oam_server1.

■ You will be prompted for values for USER_NAME and PASSWORD if you do not provide them as options when you execute the script.

■ The value for ADMIN_URL will be inherited if you do not provide it as an option when you execute the script.

Starting the Stack

C-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

domain_name is the name of the domain that you entered on the Specify Domain Name and Location Screen in the Oracle Fusion Middleware Configuration Wizard.

2. Configure Node Manager to start the Managed Servers. If a Managed Server contains other Oracle Fusion Middleware products, such as Oracle SOA Suite, Oracle WebCenter, or Oracle JRF, the Managed Servers environment must be configured to set the correct classpath and parameters. This environment information is provided through the start scripts, such as startWebLogic and setDomainEnv, which are located in the domain directory.

If the Managed Servers are started by Node Manager (as is the case when the servers are started by the Oracle WebLogic Server Administration Console or Fusion Middleware Control), Node Manager must be instructed to use these start scripts so that the server environments are correctly configured. Specifically, Node Manager must be started with the property StartScriptEnabled=true.

There are several ways to ensure that Node Manager starts with this property enabled. As a convenience, Oracle Fusion Middleware provides the following script, which adds the property StartScriptEnabled=true to the nodemanager.properties file:

On UNIX:

1. Run the following script to add the property StartScriptEnabled=true to the nodemanager.properties file:

ORACLE_COMMON_HOME/common/bin/setNMProps.sh

2. Start the Node Manager by executing the following command:

MW_HOME/WLS_HOME/server/bin/startNodeManager.sh

On Windows:

1. Run the following script to add the property StartScriptEnabled=true to the nodemanager.properties file:

ORACLE_COMMON_HOME\common\bin\setNMProps.cmd

2. Start the Node Manager by executing the following command:

MW_HOME\WLS_HOME\server\bin\startNodeManager.cmd

3. To start the Managed Servers, run the startManagedWebLogic.sh (on UNIX operating systems) or startManagedWebLogic.cmd (on Windows operating systems) script in the bin directory inside the directory where you created your domain.

Note: When you start Node Manager, it reads the nodemanager.properties file with the StartScriptEnabled=true property, and uses the start scripts when it subsequently starts Managed Servers. Note that you need to run the setNMProps script only once.

Note: If the Node Manager is not running, you can start these Managed Servers from the command line.

Starting or Stopping the Oracle Stack C-3

This command also requires that you specify a server name. You must start the servers you created when configuring the domain, as shown in the following example:

■ oam_server1 (Oracle Access Management Server)

■ oim_server1 (Oracle Identity Manager Server)

For example, to start Oracle Access Management Server on a UNIX system:

MW_HOME/user_projects/domains/domain_name/bin/startManagedWebLogic.sh oam_server1

On Windows systems:

MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd oam_server1

Before the Managed Server is started, you are prompted for the WebLogic Server user name and password. These were provided on the Configure Administrator Username and Password Screen in the Configuration Wizard.

If your Administration Server is using a non-default port, or resides on a different host than your Managed Servers (in a distributed environment), you must also specify the URL to access your Administration Server.

On UNIX systems:

MW_HOME/user_projects/domains/domain_name/bin/startManagedWebLogic.sh oam_server1 http://host:admin_server_port

On Windows systems:

MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd oam_server1 http://host:admin_server_port

Instead of being prompted for the Administration Server user name and password, you can also specify them directly from the command lime.

On UNIX systems:

MW_HOME/user_projects/domains/domain_name/bin/startManagedWebLogic.sh oam_server1 http://host:admin_server_port -Dweblogic.management.username=user_name -Dweblogic.management.password=password -Dweblogic.system.StoreBootIdentity=true

On Windows systems:

MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd oam_server1 http://host:admin_server_port -Dweblogic.management.username=user_name -Dweblogic.management.password=password -Dweblogic.system.StoreBootIdentity=true

If you do not know the names of the Managed Servers that should be started, you can view the contents of the following file on UNIX systems:

MW_HOME/user_projects/domains/domain_name/startManagedWebLogic_readme.txt

Note: You can use the Oracle WebLogic Administration Console to start managed components in the background. See Oracle Fusion Middleware Introduction to Oracle WebLogic Server for more information.

Stopping the Stack

C-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

On Windows systems:

MW_HOME\user_projects\domains\domain_name\startManagedWebLogic_readme.txt

Or, you can access the Administration Server console at the following URL:

http://host:admin_server_port/console

Supply the user name and password that you specified on the Configure Administrator Username and Password Screen of the Configuration Wizard. Then, navigate to Environment > Servers to see the names of your Managed Servers.

C.2 Stopping the StackYou can stop the Oracle WebLogic Administration Server and all the managed servers by using Oracle WebLogic Administration Console. See Oracle Fusion Middleware Introduction to Oracle WebLogic Server for more information.

To stop the stack components from the command line, perform the following steps:

1. Stop WebLogic managed components, such as Oracle Access Management, Oracle Identity Manager, and Oracle Adaptive Access Manager, by executing the following command:

MW_HOME/user_projects/domains/DOMAIN_NAME/bin/stopManagedWebLogic.sh \{SERVER_NAME} {ADMIN_URL} {USER_NAME} {PASSWORD}

2. Stop the Oracle WebLogic Administration Server by executing the following command:

MW_HOME/user_projects/domains/DOMAIN_NAME/bin/stopWebLogic.sh

3. If you want to stop the Node Manager, you can use the kill command:

kill -9 PID

C.3 Restarting ServersTo restart the Administration Server or Managed Servers, you must stop the running Administration Server or Managed Servers first before starting them again. For more information, see Stopping the Stack and Starting the Stack.

D

Preconfiguring Oracle Directory Server Enterprise Edition (ODSEE) D-1

DPreconfiguring Oracle Directory ServerEnterprise Edition (ODSEE)

Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Directory Server Enterprise Edition (ODSEE) for using Oracle Directory Server Enterprise Edition (ODSEE) as your LDAP Identity store.

You must complete the following steps to preconfigure the Identity Store:

1. Create a new file iPlanetContainers.ldif. Add the following entries and save the file.

dn:cn=oracleAccounts,dc=mycompany,dc=comcn:oracleAccountsobjectClass:nsContainer

dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=comcn:UsersobjectClass:nsContainer

dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=comcn:GroupsobjectClass:nsContainer

dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=comcn:ReserveobjectClass:nsContainer

2. Import the containers into iPlanet Directory Server with ldapadd command. This will create the user, group and reserve containers.

ldapadd -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -c -f ./iPlanetContainers.ldif

For example:

ldapadd -h localhost -p 1389 -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif

Note: If your LDAP Identity store (Oracle Directory Server Enterprise Edition (ODSEE) or iPlanet) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

D-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

If the above gives authentication error, try the command with '-x' option with simple bind option.

ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./iPlanetContainers.ldif

3. Enable the moddn property for the rename of entries to happen between nodes.

..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> moddn-enabled:on

For example:

..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 moddn-enabled:on

4. Enable changelog.

..dsee7/bin/dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> retro-cl-enabled:on

For example:

..dsee7/bin/dsconf set-server-prop -h localhost -p 1389 retro-cl-enabled:on

5. Check the status.

..dsee7/bin/dsccsetup status

6. Stop and Start the ODSEE server instance.

..dsee7/bin/dsadm stop <ODSEE instance>

..dsee7/bin/dsadm start <ODSEE instance>

For example:

..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/

..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/

7. Extend the Sun schema to include OIM-specific Object Classes and Attribute Types.

cd to $MIDDLEWARE_HOME/oracle_common/modules/oracle.ovd_11.1.1/oimtemplates

Run the following command to load the ldif file, sunOneSchema.ldif.

ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f sunOneSchema.ldif

For example:

./ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w welcome1 -c -f sunOneSchema.ldif

8. Enable Referential Integrity for OIM's Common Name Generation feature.

Anytime the DN or RDN is being modified, then the Referential Integrity needs to be enabled in OIM and OID/Active Directory/ODSEE.

If Referential Integrity is enabled in the Directory Server, then customers need to set the OIM property XL.IsReferentialIntegrityEnabledInLDAP to TRUE as by default it is set to FALSE. To set XL.IsReferentialIntegrityEnabledInLDAP to TRUE, log into OIM and go to Advanced > System Management > System Configuration. Search for System Properties (XL.IsReferentialIntegrityEnabled), and set the property value to TRUE.

Preconfiguring Oracle Directory Server Enterprise Edition (ODSEE) D-3

a. Use the following command to see the value of the referential integrity property.

..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port> ref-integrity-enabledEnter "cn=Directory Manager" password:ref-integrity-enabled : off

b. Use the following commands to enable the referential integrity property.

./dsconf set-server-prop -h <ODSEE server> -p <ODSEE port>ref-integrity-enabled:onEnter "cn=Directory Manager" password:

Directory Server must be restarted for changes to take effect. Restart ODSEE/iPlanet Server after enabling referential integrity property.

..dsee7/bin/dsadm stop <ODSEE instance>

..dsee7/bin/dsadm start <ODSEE instance>

For Example:

..dsee7/bin/dsadm stop /scratch/<userid>/iPlanet/dsinst1/

..dsee7/bin/dsadm start /scratch/<userid>/iPlanet/dsinst1/

c. Now query to see if the value has been set correctly.

..dsee7/bin/dsconf get-server-prop -h <ODSEE server> -p <ODSEE port>ref-integrity-enabledEnter "cn=Directory Manager" password:ref-integrity-enabled : on

9. Create the OIM Admin User, Group and the ACIs. Open a new file oimadminuser.ldif. This oimadminuser would be used as a proxy user for OIM.

The root suffix is given as dc=mycompany,dc=com. This can be replaced with the appropriate root suffix of the ODSEE server.

a. Add the following LDAP entries and save the file oimadminuser.ldif. Run the following command to load the ldif file, oimadminuser.ldif.

ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> -f oimadminuser.ldif

dn: cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: nsContainerobjectclass: topcn: systemids

dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetorgpersonmail: oimAdminUsergivenname: oimAdminUsersn: oimAdminUsercn: oimAdminUseruid: oimAdminUseruserPassword: welcome1

D-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: groupOfUniqueNamesobjectclass: topcn: oimAdminGroupdescription: OIM administrator roleuniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

dn: cn=users,cn=oracleAccounts,dc=mycompany,dc=comchangetype: modifyadd: aciaci: (target = "ldap:///cn=users,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)

dn: cn=Groups,cn=oracleAccounts,dc=mycompany,dc=comchangetype: modifyadd: aciaci: (target = "ldap:///cn=Groups,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)

dn: cn=reserve,cn=oracleAccounts,dc=mycompany,dc=comchangetype: modifyadd: aciaci: (target = "ldap:///cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)

dn: cn=changelogchangetype: modifyadd: aciaci: (target = "ldap:///cn=changelog")(targetattr = "*")(version 3.0; acl "Allow OIM AdminGroup to read and write access"; allow (read, search, compare, add, write,delete,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)

b. Use the following commands to check for the entries and ACI in the LDAP:

ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=changelog" -s sub "objectclass=*" aci

ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=users,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci

ldapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=groups,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" acildapsearch -h <ODSEE Server> -p <ODSEE Port> -x -D "cn=Directory Manager" -w <ODSEE Admin Password> -b "cn=reserve,cn=oracleAccounts,dc=mycompany,dc=com" -s sub "objectclass=*" aci

E

Preconfiguring Oracle Unified Directory (OUD) E-1

EPreconfiguring Oracle Unified Directory(OUD)

Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) for using Oracle Unified Directory (OUD) as your LDAP Identity store.


1. Create a new file OUDContainers.ldif. Add the following entries and save the file.

dn:cn=oracleAccounts,dc=mycompany,dc=comcn:oracleAccountsobjectClass:topobjectClass:orclContainer

dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=comcn:UsersobjectClass:topobjectClass:orclContainer

dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=comcn:GroupsobjectClass:topobjectClass:orclContainer

dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=comcn:ReserveobjectClass:topobjectClass:orclContainer

2. Import the containers into Oracle Unified Directory Server with ldapadd command. This will create the user, group and reserve containers.

ldapadd -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -c -f ./OUDContainers.ldif

For example:ldapadd -h localhost -p 3389 -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif

Note: If your LDAP Identity store (Oracle Unified Directory (OUD)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

E-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management


ldapadd -h localhost -p 1389 -x -D "cn=Directory Manager" -w "welcome1" -c -f ./OUDContainers.ldif

3. Configure OIM proxy users and acis to communicate with OUD after installing OUD. Create the OIM Admin User, Group and the ACIs.

The root suffix is given as dc=mycompany,dc=com. This can be replaced with the appropriate root suffix of the OUD server.

a. Open a new file oudadmin.ldif. Add the following LDAP entries and save the file oudadmin.ldif. Run the following command to load the ldif file, oudadmin.ldif.

cd <OUD instance>/bin

./ldapmodify -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -j <pwd.txt> -c-v-f oudadmin.ldifNote: In the above command pwd.txt is the text file containing the OUD Admin password.

dn: cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: orclContainerobjectclass: topcn: systemids

dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetorgpersonmail: oimAdminUsergivenname: oimAdminUsersn: oimAdminUsercn: oimAdminUseruid: oimAdminUseruserPassword: welcome1

dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: groupOfUniqueNamesobjectclass: topcn: oimAdminGroupdescription: OIM administrator roleuniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

Note: Run the ldapmodify command in OUD setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.

■ The OIMAdmin proxy user must have the ACI allowing to write/reset the userPassword.

■ The OIMAdmin proxy user must have the password-reset privilege. The password-reset privilege is assigned with a ldapmodify on the user entry.

Preconfiguring Oracle Unified Directory (OUD) E-3

dn: cn=oracleAccounts,dc=mycompany,dc=comchangetype: modifyadd: aciaci: (target = "ldap:///cn=oracleAccounts,dc=mycompany,dc=com")(targetattr = "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to all attributes"; allow (add, read, search, compare,write, delete, import,export) (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com");)

dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=comchangetype: modifyadd: ds-privilege-nameds-privilege-name: password-reset

b. Perform the following steps to configure the changelog on OUD server:

Create a replication server using dsconfig command:

dsconfig -h <OUD host> -p <OUD Admin SSL Port> -D <OUD Admin id> -j <password file> -X -n create-replication-server --provider-name 'Multimaster Synchronization' --set replication-port:8989 --set replication-server-id:1 --type generic

Create a replication domain using dsconfig command:

dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n create-replication-domain --provider-name 'Multimaster Synchronization' --set base-dn:<dc=myDomain,dc=com> --set replication-server:<OUD host>:8989 --set server-id:1 --type generic --domain-name <dc=myDomain,dc=com>

c. Use the following command to check if the ACI is added.

./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=Directory Manager" -j <pwd.txt> -b "dc=mycompany,dc=com" -s base "objectclass=*" aciNote: In the above command pwd.txt is the text file containing the OUD Admin password.

d. Use the following command to check if the proxy user is working against OUD.

./ldapsearch -h <OUD Server> -p <OUD Port> -D "cn=oimAdminUser,cn=systemids,dc=oracle,dc=com" -j <pwd.txt> -b "cn=changelog" -s sub "changenumber>=0"Note: In the above command pwd.txt is the text file containing the OUD Admin password.

4. Add the global-aci to changelog node in OUD.

Refer to the Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) available at the following link:

http://docs.oracle.com/cd/E22289_01/html/821-1279/dsconfig.html

Follow the steps in the document mentioned above and add the global-aci to cn=changelog entry in OUD:

Note: Perform these steps only if the replication has not been configured during the installation of OUD server.

E-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com";)

You must remove deny from this global-aci and allow the oim proxy user, otherwise deny will take priority.

Refer to the Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) available at the following link:

http://docs.oracle.com/cd/E22289_01/html/821-1279/dsconfig.html

Follow the steps in the document mentioned above and delete the default deny global-aci from cn=changelog entry in OUD.

(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)

5. If you want to enable Oracle Identity Manager (OIM) to lock a user account, you must configure a password policy on OUD server.

In the password policy, you must define the maximum number of failed logins the source LDAP directory server requires, to lock the account. This max number must have the same value as defined in the User Management plugin (pwdMaxFailure parameter) in Section 5.7.5.2.4, "Creating Adapters for Oracle Unified Directory (OUD)".

Use the following command to configure OUD password policy (for instance 3 failures locks the account):

dsconfig -h <OUD host> -p <OUD Admin SSL port> -D <OUD Admin id> -j <password file> -X -n set-password-policy-prop --policy-name 'Default Password Policy'--set lockout-failure-count:3

Note: If you are using OUD 11.1.1.5.0, use the following ACI:

(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access";deny (all) groupdn!="ldap:///cn=oimAdminGroup,cn=systemids,dc=myDomain,dc=com";)

F

Preconfiguring Oracle Internet Directory (OID) F-1

FPreconfiguring Oracle Internet Directory(OID)

Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Internet Directory (OID) for using Oracle Internet Directory (OID) as your LDAP Identity store.


1. Create a new file OIDContainers.ldif. Add the following entries and save the file.

dn:cn=oracleAccounts,dc=mycompany,dc=comcn:oracleAccountsobjectClass:topobjectClass:orclContainer

dn:cn=Users,cn=oracleAccounts,dc=mycompany,dc=comcn:UsersobjectClass:topobjectClass:orclContainer

dn:cn=Groups,cn=oracleAccounts,dc=mycompany,dc=comcn:GroupsobjectClass:topobjectClass:orclContainer

dn:cn=Reserve,cn=oracleAccounts,dc=mycompany,dc=comcn:ReserveobjectClass:topobjectClass:orclContainer

2. Import the containers into Oracle Internet Directory Server with ldapadd command. This will create the user, group and reserve containers.

ldapadd -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c -f ./OIDContainers.ldif

For example:ldapadd -h localhost -p 3060 -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif

Note: If your LDAP Identity store (Oracle Internet Directory (OID)) has been configured for the containers and oimadminuser with the schema extension, you need not follow the below mentioned configuration steps.

F-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management


ldapadd -h localhost -p 3060 -x -D "cn=orcladmin" -w "welcome1" -c -f ./OIDContainers.ldif

3. Configure OIM proxy users and acis to communicate with OID after installing OID. Create the OIM Admin User, Group and the ACIs.

The root suffix is given as 'dc=mycompany,dc=com'. This can be replaced with the appropriate root suffix of the OID server.

a. Open a new file oidadmin.ldif. Add the following LDAP entries and save the file oidadmin.ldif. Run the following command to load the ldif file, oidadmin.ldif.

./ldapmodify -h <OID Server> -p <OID port> -D <OID Admin ID> -w <OID Admin password> -c-v-f oidadmin.ldif

dn: cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: orclContainerobjectclass: topcn: systemids

dn: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetorgpersonobjectclass: orcluserobjectclass: orcluserV2mail: oimAdminUsergivenname: oimAdminUsersn: oimAdminUsercn: oimAdminUseruid: oimAdminUseruserPassword: welcome1

dn: cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=comchangetype: addobjectclass: groupOfUniqueNamesobjectclass: orclPrivilegeGroupobjectclass: topcn: oimAdminGroupdescription: OIM administrator roleuniquemember: cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com

dn: cn=oracleAccounts,dc=mycompany,dc=comchangetype: modifyadd: orclaciorclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (add,browse,delete) by * (none)

Note: Run the ldapmodify command in OID setup to add the OIM proxy User, OIM proxy Group and the relevant ACIs.

Preconfiguring Oracle Internet Directory (OID) F-3

orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (read,search,write,compare) by * (none)

dn: cn=changelogchangetype: modifyadd: orclaciorclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (browse) by * (none)orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=mycompany,dc=com" (read,search,compare) by * (none)

b. Use the following command to check if the ACI is added.

./ldapsearch -h <OID Server> -p <OID Port> -D "cn=orcladmin" -w <OID Admin password> -b "dc=mycompany,dc=com" -s one "objectclass=*" orclaci

c. Use the following command to check if the proxy user is working against OID. Before running this command ensure that the changenumber is catalogued.

./ldapsearch -h <OID Server> -p <OID Port> -D "cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com" -w <OID Admin password> -b "cn=changelog" -s sub "changenumber>=0"

If the above command gives an error, try the following:

./ldapsearch -h <OID Server> -p <OID Port> -D "cn=oimAdminUser,cn=systemids,dc=mycompany,dc=com" -w <OID Admin password> -b "cn=changelog" -s one "changenumber>=0"

F-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

G

Deinstalling and Reinstalling Oracle Identity and Access Management G-1

G Deinstalling and Reinstalling Oracle Identityand Access Management

This appendix provides information about deinstalling and reinstalling Oracle Identity and Access Management 11g Release 2 (11.1.2). It contains the following topics:

■ Deinstalling Oracle Identity and Access Management

■ Reinstalling Oracle Identity and Access Management

G.1 Deinstalling Oracle Identity and Access ManagementThis topic contains procedures for deinstalling Oracle Identity and Access Management. It contains the following sections:

■ Deinstalling the Oracle Identity and Access Management Oracle Home

■ Deinstalling the Oracle Common Home

G.1.1 Deinstalling the Oracle Identity and Access Management Oracle HomeThe deinstaller attempts to remove the Oracle Home directory from which it was started. Before you choose to remove your Oracle Identity and Access Management Oracle Home directory, make sure that it is not in use by an existing domain and that you stop all running processes that use this Oracle Home.

Deinstalling Oracle Identity and Access Management will not remove any WebLogic domains that you have created—it only removes the software in the Oracle Identity and Access Management Oracle Home directory.

This section describes how to deinstall your Oracle Identity and Access Management Oracle Home using the graphical, screen-based deinstaller. However, you can also

Note: Always use the instructions provided in this appendix for removing the software. If you try to remove the software manually, you may experience problems when you try to reinstall the software. Following the procedures in this appendix ensures that the software is properly removed.

Note: The oraInventory is required for removing instances and Oracle Home. For example, on UNIX it can be found in the following location:

/etc/oraInst.loc

Deinstalling Oracle Identity and Access Management

G-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

perform a silent deinstallation using a response file. A deinstall response file template that you can customize for your deinstallation is included in the Disk1/stage/Response directory on UNIX, or in the Disk1\stage\Response directory on Windows.

Perform the following steps to deinstall your Oracle Identity and Access Management Oracle Home using the graphical, screen-based deinstaller:

1. Verify your Oracle Identity and Access Management Oracle Home is not in use by an existing domain.

2. Stop all processes that use the Oracle Identity and Access Management Oracle Home.

3. Open a command prompt and move (cd) into the IAM_ORACLE_HOME/oui/bin directory (UNIX) or the IAM_HOME\oui\bin directory (Windows).

4. Invoke the Deinstaller from command line using the -deinstall option. For example:

On UNIX:

./runInstaller -deinstall

On Windows:

setup.exe -deinstall

The Welcome screen appears.

5. Click Next.

In the Deinstall Oracle Home screen, you can save a response file that contains the deinstallation settings before deinstalling. Click Deinstall. The Deinstall Progress screen appears. This screen shows the progress and status of the deinstallation.

Click Finish after the deinstallation progresses to 100%. The Deinstallation Complete screen appears.

6. Click Finish on the Deinstallation Complete screen to exit the deinstaller.

G.1.2 Deinstalling the Oracle Common HomeThe ORACLE_COMMON_HOME directory located in the MW_HOME directory contains the binary and library files required for Oracle Enterprise Manager Fusion Middleware Control and Oracle Java Required Files (JRF). Before you deinstall the ORACLE_COMMON_HOME directory, ensure that no other Oracle Fusion Middleware software, such as Oracle SOA Suite, depends on ORACLE_COMMON_HOME. You cannot deinstall the ORACLE_COMMON_HOME directory until all software that depends on it has been deinstalled.

Perform the following steps to deinstall the ORACLE_COMMON_HOME directory:

1. Stop all processes that use the ORACLE_COMMON_HOME directory. To know all the processes that are using ORACLE_COMMON_HOME directory use the following commands:

On UNIX:

ps-ef grep <oracle_common>

On Windows:

Reinstalling Oracle Identity and Access Management

Deinstalling and Reinstalling Oracle Identity and Access Management G-3

Use the Windows Task Manager to identify the processes that use the ORACLE_COMMON_HOME directory.

2. Deinstall your Oracle Identity and Access Management Oracle Home by performing the steps in Deinstalling the Oracle Identity and Access Management Oracle Home.

3. Open a command prompt and move (cd) into the ORACLE_COMMON_HOME/oui/bin/ directory (on UNIX) or the ORACLE_COMMON_HOME\oui\bin\ directory (on Windows).

4. Invoke the Deinstaller from command line using the -deinstall option and the -jreLoc option, which identifies the location where Java Runtime Environment (JRE) is installed. For example:

On UNIX:

./runInstaller -deinstall -jreLoc FULL_PATH_TO_JRE_DIRECTORY

On Windows:

setup.exe -deinstall -jreLoc FULL_PATH_TO_JRE_DIRECTORY

The Welcome screen appears.

5. Click Next. The Select Deinstallation Type screen appears.

6. Select the Deinstall Oracle Home option at the top of the Select Deinstallation Type screen.

Click Next. The Deinstall Oracle Home screen appears.

7. Confirm the correct ORACLE_COMMON_HOME directory is listed and click Deinstall.

The Deinstallation Progress screen appears, along with a Warning dialog box prompting you to confirm that you want to deinstall the ORACLE_COMMON_HOME directory.

8. Click Yes on the Warning dialog box to confirm you want to remove the ORACLE_COMMON_HOME directory. The deinstallation begins.

9. Click Finish after the deinstallation progresses to 100%. The Deinstallation Complete screen appears.

10. Click Finish on the Deinstallation Complete screen to exit the deinstaller.

G.2 Reinstalling Oracle Identity and Access ManagementPerform the following steps to reinstall Oracle Identity and Access Management:

1. Verify the directory you want to reinstall Oracle Identity and Access Management into, does not contain an existing Oracle Identity and Access Management instance. If it does, you must deinstall it before reinstalling. You cannot reinstall Oracle Identity and Access Management 11g Release1(11.1.1) in a directory that contains an existing Oracle Identity and Access Management instance.

2. Reinstall Oracle Identity and Access Management as if it was the first installation by performing the steps in the appropriate procedure in this guide.

Note: The path to the ORACLE_COMMON_HOME directory appears in the text describing the Deinstall Oracle Home option.

Reinstalling Oracle Identity and Access Management

G-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

Performing Silent Installations H-1

HPerforming Silent Installations

This appendix describes how to install Oracle Identity Management in silent mode. This appendix contains the following topics:

■ What is a Silent Installation?

■ Before Performing a Silent Installation

■ Creating Response Files

■ Performing a Silent Installation

■ Installer Command Line Parameters

H.1 What is a Silent Installation?A silent installation eliminates the need to monitor the Oracle Identity and Access Management installation because no graphical output is displayed and no input by the user is required.

To perform a silent Oracle Identity and Access Management installation, you invoke the Installer with the -silent flag and provide a response file from the command line. The response file is a text file containing variables and parameter values which provide answers to the Installer prompts.

H.2 Before Performing a Silent InstallationThis topic describes tasks that may be required before you perform a silent installation. This topic includes the following sections:

■ UNIX Systems: Creating the oraInst.loc File

■ Windows Systems: Creating the Registry Key

H.2.1 UNIX Systems: Creating the oraInst.loc FileThe Installer uses the Oracle inventory directory to keep track of all Oracle products installed on the systems. The inventory directory is stored in a file named oraInst.loc. If this file does not already exist on your system, you must create it before starting a silent installation.

Perform the following steps to create the oraInst.loc file if it does not exist:

1. Log in as the root user.

2. Using a text editor such as vi or emacs, create the oraInst.loc file in any directory. The contents of the file consist of the following two lines:

Creating Response Files

H-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

inventory_loc=oui_inventory_directoryinst_group=oui_install_group

Replace oui_inventory_directory with the full path to the directory where you want the Installer to create the inventory directory. Replace oui_install_group with the name of the group whose members have write permissions to this directory.

3. Exit from the root user.

H.2.2 Windows Systems: Creating the Registry KeyIf you have not installed Oracle Identity and Access Management on your system, you must create the following Registry key and value:

HKEY_LOCAL_MACHINE / SOFTWARE / Oracle / inst_loc = [inventory_directory]

Replace inventory_directory with the full path to your Installer files. For example: C:\Program Files\Oracle\Inventory

H.3 Creating Response FilesBefore performing a silent installation, you must provide information specific to your installation in a response file. Response files are text files that you can create or edit in a text editor. The Installer will fail if you attempt a silent installation using a response file that is not configured correctly.

Several default response files, which you can use as templates and customize for your environment, are included in the installation media. These default response files are located in the Disk1/stage/Response directory on UNIX, or in the Disk1\stage\Response directory on Windows.

Creating Response Files for Oracle Identity and Access Management Software InstallationWhen you use the Oracle Identity and Access Management Installation Wizard to install the software for the first time, you can save a summary of your installation in a response file.

To create a response file for Oracle Identity and Access Management software Installer for Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Access Management Mobile and Social, Oracle Privileged Account Manager, and Oracle Identity Navigator, complete the following steps:

1. On the Installation Summary screen in the installation wizard, click Save in the Save Response File field.

2. When prompted, save the file to a local directory.

Creating Response Files for Oracle Identity Manager ConfigurationWhen you use the Oracle Identity Manager Configuration Wizard to configure Oracle Identity Manager Server, Design Console, or Remote Manager for the first time, you can save a summary of your configuration in a response file.

Note: After you performing the silent installation on UNIX platforms, you must run the ORACLE_HOME/root.sh script as the root user. The root.sh script detects settings of environment variables and enables you to enter the full path of the local bin directory.


To create this response file, complete the following steps:

1. On the Configuration Summary screen in the installation wizard, click Save in the Save Response File field.

2. When prompted, save the file to a local directory.

H.3.1 OIM, OAM, OAAM, OES, and OINThe following is a list of the default response files included in the installation media for the Oracle Identity and Access Management Suite containing Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Identity Navigator:

■ iamsuite_install_only.rsp: Use this response file to install Oracle Identity and Access Management components without configuring them.

■ iamsuite_config_only.rsp: Use this response file with the Oracle Identity Manager 11g Release 1 (11.1.1) Configuration Wizard (config.sh script or config.bat) in ORACLE_HOME/bin/ to configure Oracle Identity Manager Server, Design Console, and Remote Manager.

■ deinstall_oh.rsp: Use this response file with the Oracle Identity and Access Management Deinstaller to deinstall installed components.

H.3.2 Securing Your Silent InstallationYour response files contain certain passwords required by the Installer. To minimize security issues regarding these passwords in the response file, follow these guidelines:

■ Set the permissions on the response files so that they are readable only by the operating system user who will be performing the silent installation.

■ If possible, remove the response files from the system after the silent installation is completed.

H.4 Performing a Silent InstallationTo perform a silent Oracle Identity and Access Management installation, you invoke the Installer with the -silent flag and provide a response file from the command line.

On UNIXThe following is the syntax for running the Installer from the command line on UNIX systems:

runInstaller [-mode] [-options] [(COMMAND_LINE_VARIABLE=VARIABLE_VALUE)*]

For example:

./runInstaller -silent -response FILE

On WindowsThe following is the syntax for running the Installer from the command line on Windows systems:

setup.exe [-mode] [-options] [(COMMAND_LINE_VARIABLE=VARIABLE_VALUE)*]

Installer Command Line Parameters


For example:

setup.exe -silent -response FILE

H.5 Installer Command Line ParametersTable H–1 lists and describes supported Installer command line parameters:

Table H–1 Installer Command Line Parameters


Installation Modes - Only One Mode Can be Specified

-i | -install Launches the Installer in GUI mode. This is the default mode and is used if no mode is specified on the command line.

-silent Install in silent mode. The Installer must be passed either a response file or command line variable value pairs.

-d | -deinstall Launches the Installer in GUI mode for deinstallation.

-p | -prerequisite Launches the Installer in GUI mode but only checks the prerequisites. No software is installed.

-v | -validate Launches the Installer in GUI mode and performs all prerequisite and validation checking, but does not install any software.

-sv | -silentvalidate Performs all prerequisite and validation checking in silent mode. You must pass the Installer either a response file or a series of command line variable value pairs.

Installation Options

-help | --help | --usage Displays the usage parameters for the runInstaller command.

-invPtrLoc file Pointer to the inventory location file. Replace file with the full path and name of the oraInst.loc file.

-response file | -responseFile file

Pointer to the response file. Replace file with the full path and name of the response file.

-jreLoc location Pointer to the location where Java Runtime Environment (JRE) is installed. Replace location with the full path to the jre directory where your JRE is installed.

-logLevel level Specify the level of logging performed by the Installer; all messages with a lower priority than the specified level will be recorded. Valid levels are:

■ severe

■ warning

■ info

■ config

■ fine

■ finer

■ finest

-debug Obtain debug information from the Installer.

-force Allow the silent installation to proceed in a non-empty directory.

-printdiskusage Log debugging information pertaining to disk usage.

-printmemory Log debugging information pertaining to memory usage.


-printtime Log debugging information pertaining to time usage. This command causes the timeTakentimestamp.log file to be created.

-waitforcompletion Windows only - the Installer will wait for completion instead of spawning the Java engine and exiting.

-noconsole Messages will not be displayed to the console window.

-ignoreSysPrereqs Ignore the results of the system prerequisite checks and continue with the installation.

-executeSysPrereqs Execute the system prerequisite checks only, then exit.

-paramFile file Specify the full path to the oraparam.ini file. This file is the initialization file for the Installer. The default location of this file is Disk1/install/platform.

-novalidation Disables all validation checking performed by the Installer.

-nodefaultinput For the GUI install, several screens have information or default values pre-populated. Specifying this option disables this behavior so that no information or values are pre-populated.

Command Line Variables

Installer Variables Installer variables are specified using varName=value. For example:

ORACLE_HOME=/scratch/install/IDM_Home

Session Variables Session variables are specified using session:varName=value

Table H–1 (Cont.) Installer Command Line Parameters


Installer Command Line Parameters


I

Troubleshooting the Installation I-1

I Troubleshooting the Installation

This appendix describes solutions to common problems that you might encounter when installing Oracle Identity Management. It contains the following topics:

■ General Troubleshooting Tips

■ Installation Log Files

■ Configuring OIM Against an Existing OIM 11g Schema

■ Need More Help?

I.1 General Troubleshooting TipsIf you encounter an error during installation:

■ Consult the Oracle Fusion Middleware 11g Release 2 (11.1.2). You can access the Release Notes on the Oracle Technology Network (OTN) Documentation Web site. To access this Web site, go to the following URL:

http://www.oracle.com/technetwork/indexes/documentation/index.html

■ Verify your system and configuration is certified. See Section 2.1, "Reviewing System Requirements and Certification" for more information.

■ Verify your system meets the minimum system requirements. See Section 2.1, "Reviewing System Requirements and Certification" for more information.

■ Verify you have satisfied the dependencies for the deployment you are attempting. Each deployment documented in this guide contains a "Dependencies" section.

■ If you entered incorrect information on one of the installation screens, return to that screen by clicking Back until you see the screen.

■ If an error occurred while the Installer is copying or linking files:

1. Note the error and review the installation log files.

2. Remove the failed installation. See Appendix G, "Deinstalling and Reinstalling Oracle Identity and Access Management" for more information.

3. Correct the issue that caused the error.

4. Restart the installation.

■ If an error occurred while configuring Oracle Identity Manager using the Oracle Identity Manager Configuration Wizard:

1. Note the error and review the configuration log files.

Installation Log Files

I-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

2. Verify whether the dependencies are met. For example, Administration Server and Database should be up and running.

3. Correct the issue that caused the error.

4. Restart the Oracle Identity Manager Configuration Wizard.

I.2 Installation Log FilesThe Installer writes log files to the ORACLE_INVENTORY_LOCATION/logs directory on UNIX systems and to the ORACLE_INVENTORY_LOCATION\logs directory on Windows systems.

On UNIX systems, if you do not know the location of your Oracle Inventory directory, you can find it in the ORACLE_HOME/oraInst.loc file.

On Microsoft Windows systems, the default location for the inventory directory is C:\Program Files\Oracle\Inventory\logs.

The server log files are created in the <DOMAIN_HOME>/server/<servername/logs directory.

The following install log files are written to the log directory:

■ installDATE-TIME_STAMP.log

■ installDATE-TIME_STAMP.out

■ installActionsDATE-TIME_STAMP.log

■ installProfileDATE-TIME_STAMP.log

■ oraInstallDATE-TIME_STAMP.err

■ oraInstallDATE-TIME_STAMP.log

I.3 Configuring OIM Against an Existing OIM 11g SchemaIn this scenario, you have created and loaded the appropriate Oracle Identity Manager (OIM) schema, installed and configured Oracle Identity Manager in a new or existing WebLogic domain. During domain configuration, you have configured JDBC Component Schemas by using the Oracle Fusion Middleware Configuration Wizard.

If you want to configure Oracle Identity Manager in a second WebLogic domain against the existing Oracle Identity Manager 11g schemas, you must complete the following steps when you try to configure Oracle Identity Manager using the Oracle Identity Manager Configuration Wizard:

1. When prompted, you must copy the .xldatabasekey file from the first WebLogic domain directory (/<MW_HOME>/user_projects/domains/<name_of_your_first_oim_domain>/config/fmwconfig/) to the second WebLogic domain directory (/<MW_HOME>/user_projects/domains/<name_of_your_second_oim_domain>/config/fmwconfig/). Proceed with the Oracle Identity Manager configuration.

2. After configuring Oracle Identity Manager using the Oracle Identity Manager Configuration Wizard, copy the cwallet.so, default_keystore.jks, and xlserver.crt files from the first WebLogic domain directory (/<MW_HOME>/user_projects/domains/<name_of_your_first_oim_domain>/config/fmwconfig/) to the second domain Home directory (/<MW_HOME>/user_projects/domains/<name_of_your_second_oim_domain>/config/fmwconfig/).

Need More Help?

Troubleshooting the Installation I-3

3. After copying the files, start the Oracle Identity Manager Managed Server, as described in Appendix C.1, "Starting the Stack".

I.4 Need More Help?If you cannot solve a problem using the information in this appendix, look for additional information in My Oracle Support at

http://support.oracle.com.

If you cannot find a solution to your problem, open a service request.

Need More Help?

I-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

J

Oracle Adaptive Access Manager Partition Schema Reference J-1

J Oracle Adaptive Access Manager PartitionSchema Reference

This appendix provides information about tables and stored procedures used with Oracle Adaptive Access Manager with Partition support.

It contains the following topics:

■ Overview

■ Partition Add Maintenance

■ Partition Maintenance Scripts

J.1 OverviewDatabase tables in the Oracle Adaptive Access Manager database are divided into the following categories:

■ Static partition tables

■ Transactional partition tables

■ Non-partitioned tables

Note: All the tables contain the composite partition (RANGE, HASH). The Range partition is created using CREATE_TIME while the HASH key is defined based on application logic.

Table J–1 lists the Oracle Adaptive Access Manager partition tables. All the other tables are non-partitioned.

Partition Add Maintenance

J-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

J.2 Partition Add MaintenanceAfter the initial Oracle Adaptive Access Manager repository setup, the following stored procedures are set up as dbms_jobs to maintain the partitions on a regular basis:

■ Sp_Oaam_Add_Monthly_Partition

■ Sp_Oaam_Add_Weekly_Partition

J.2.1 Sp_Oaam_Add_Monthly_PartitionThis stored procedure adds partitions for tables with the monthly frequency.

The script runs at the end of each month to create partitions for the following month. To simultaneously add partitions for subsequent months, the partitions are added based on the partition of the previous month.

If this stored procedure fails to exceute (if your monthly partition is missing), you may see database errors, "ORA-14400 and ORA-14401," forcing the Oracle Adaptive Access Manager application to stop.

J.2.2 Sp_Oaam_Add_Weekly_PartitionThis stored procedure adds partitions for tables with the weekly frequency.

The script runs at the end of each week to create partitions for the following week. To simultaneously add partitions for subsequent weeks, the partitions are added based on the partition of the previous week.

Table J–1 Oracle Adaptive Access Manager Database Partition Tables

Table Type Frequency Table Name

Static Partition Monthly V_USER_QA

V_USER_QA_HIST

Transactional Partition Monthly VCRYPT_TRACKER_NODE_HISTORY

VCRYPT_TRACKER_USERNODE_LOGS

VCRYPT_TRACKER_NODE

VT_USER_DEVICE_MAP

V_MONITOR_DATA

VT_SESSION_ACTION_MAP

VT_ENTITY_ONE

VT_ENTITY_ONE_PROFILE

VT_USER_ENTITY1_MAP

VT_ENT_TRX_MAP

VT_TRX_DATA

VT_TRX_LOGS

Transactional Partition Weekly VR_POLICYSET_LOGS

VR_POLICY_LOGS

VR_RULE_LOGS

VR_MODULE_LOGS

Partition Maintenance Scripts

Oracle Adaptive Access Manager Partition Schema Reference J-3

If this stored procedure fails to exceute (if your weekly partition is missing), you may see database errors, "ORA-14400 and ORA-14401," forcing the Oracle Adaptive Access Manager application to stop.

J.3 Partition Maintenance ScriptsAfter the initial Oracle Adaptive Access Manager repository setup, use the following scripts with purging or archiving maintenance scripts to maintain the partitions on a regular basis:

■ drop_monthly_partition_tables.sql

■ drop_weekly_partition_tables.sql

■ add_monthly_partition_tables.sql

■ add_weekly_partition_tables.sql

The above mentioned scripts are located in <IAM_ORACLE_HOME>\oaam\oaam_db_maint_scripts\oaam_db_partition_maint_scripts

J.3.1 drop_monthly_partition_tables.sqlYou can use this script to drop partitions for tables with the monthly frequency. You should run this script at the end of each month to drop partitions older than sixth months, based on the requirements of the Oracle Adaptive Access Manager application. Note that these tables will have six partitions at a given time.

J.3.2 drop_weekly_partition_tables.sql You can use this script to drop partitions for tables with the weekly frequency. You should run this script either at the end of every fourteenth day or at the end of third week from the day the Oracle database was created to the dropping of partitions older than two weeks, based on the requirements of the Oracle Adaptive Access Manager application.

J.3.3 add_monthly_partition_tables.sqlYou can use this script to add partitions for tables with the monthly frequency. You should run this script at the end of each month to create partitions for the following month. To add partitions for subsequent months at the same time, run this script multiple times. When you run the script multiple times, partitions are added based on the previous month’s partition.

J.3.4 add_weekly_partition_tables.sqlYou can use this script to add partitions for tables with the weekly frequency. You should run this script at the end of each month to create partitions for the following week. To add partitions for subsequent weeks at the same time, run this script multiple times. When you run the script multiple times, partitions are added based on the previous week’s partition.

Note: You do not have to execute partition add scripts. You should only use them to create partitions manually because other automated dbms_jobs create partitions at regular intervals.

Partition Maintenance Scripts

J-4 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

Software Deinstallation Screens K-1

KSoftware Deinstallation Screens

This appendix describes the screens of the Oracle Fusion Middleware 11g Deinstallation Wizard that enables you to remove the Oracle Identity and Access Management software from your machine. This appendix contains the following topics:

■ Welcome

■ Select Deinstallation Type

■ Deinstallation Progress

■ Deinstallation Complete

K.1 WelcomeThe Welcome screen is the first screen that appears when you start the Oracle Fusion Middleware 11g Deinstallation Wizard.

Figure K–1 Welcome Screen

Select Deinstallation Type

K-2 Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management


K.2 Select Deinstallation TypeSelect the type of deinstallation you want to perform.

Figure K–2 Select Deinstallation Type Screen


K.2.1 Option 1: Deinstall Oracle HomeIf you selected Deinstall Oracle Home on the Select Deinstallation Type screen, the following screen appears:

Table K–1 Deinstallation Types

Type Description

Deinstall Oracle Home Select this option to deinstall the binaries contained in the listed Oracle Identity and Access Management Oracle Home.

If you select this option, the Deinstall Oracle Home screen appears next, where you can save a response file that contains the deinstallation settings before deinstalling.

Deinstall ASInstances managed by WebLogic Domain - Applicable to Oracle Internet Directory and Oracle Virtual Directory only.

Select this option to deinstall the Oracle Identity and Access Management system component instances, such as Oracle Internet Directory and Oracle Virtual Directory, that are registered in a WebLogic domain.

If you select this option, the Specify WebLogic Domain Detail screen appears next where you identify the administration domain containing the system components you want to deinstall. The Select Managed Instance screen appears next, where you identify the instances you want to deinstall.


K.2.1.1 Deinstall Oracle HomeThis screen shows the Oracle Home directory that is about to be deinstalled. It is the Oracle Home directory in which the deinstaller was started.

Figure K–3 Deinstall Oracle Home Screen

Verify that this is the correct directory, and also verify that there are no processes associated with this Oracle Home.

Click Deinstall to start the deinstallation process.

K.2.2 Option 2: Deinstall ASInstances managed by WebLogic DomainIf you selected Deinstall ASInstances managed by WebLogic Domain on the Select Deinstallation Type screen, the following screens appears:

■ Specify WebLogic Domain Detail

■ Select Managed Instance

■ Deinstallation Summary (Managed Instance)

K.2.2.1 Specify WebLogic Domain DetailSpecify the WebLogic Domain credentials:

■ Domain Host Name

The name of the system on which the WebLogic Domain is running.

■ Domain Port No

Listen port number of the domain. The default port number is 7001.

■ User Name

The WebLogic Domain user name.



■ Password

The password of the WebLogic Domain user.

Figure K–4 Specify WebLogic Domain Detail Screen


K.2.2.2 Select Managed InstanceSelect the managed instance you want to deinstall.


Figure K–5 Select Managed Instance Screen


K.2.2.3 Deinstallation Summary (Managed Instance)Verify that the specified instance is the one you want to deinstall.

Figure K–6 Deinstallation Summary Screen




K.2.3 Option 3: Deinstall Unmanaged ASInstancesIf you selected Deinstall Unmanaged ASInstances on the Select Deinstallation Type screen, the following screen appears:

■ Specify Instance Location

■ Deinstallation Summary (Unmanaged ASInstance)

K.2.3.1 Specify Instance LocationSpecify the full path to your Oracle Instance directory. If you are unsure, click Browse to find this directory on your system.

Figure K–7 Specify Instance Location Screen


K.2.3.2 Deinstallation Summary (Unmanaged ASInstance)Verify that the specified instance is the one you want to deinstall.


Figure K–8 Deinstallation Summary Screen


K.3 Deinstallation ProgressThis screen shows you the progress of the deinstallation.

Deinstallation Complete


Figure K–9 Deinstallation Progress Screen

If you want to quit before the deinstallation is completed, click Cancel.

K.4 Deinstallation CompleteThis screen summarizes the deinstallation that was just completed.


Figure K–10 Deinstallation Complete Screen

Click Finish to dismiss the deinstaller.

Deinstallation Complete
